December 16, 2017, 08:16:43 PM
Welcome, Guest. Please login or register.

Feds Seize KickassTorrents Domains, Arrest Alleged Owner -- https://goo.gl/FRHbEJ

Author Topic: Paramiko SSH backdoor  (Read 2207 times)

bxlcity

  • Guest
Paramiko SSH backdoor
« on: April 13, 2015, 01:40:14 AM »
Custom ssh backdoor, coded in python using Paramiko



Download :  On github.com
« Last Edit: April 14, 2015, 11:10:08 AM by Gingerbread Man »

Offline GalaxyNinja

  • Global Moderator
  • Elite
  • *****
  • Posts: 1732
  • Internets: +96/-0
  • My password is **********
Re: Paramiko SSH backdoor
« Reply #1 on: April 13, 2015, 05:52:53 AM »
Hello bxlcity,

Thank you for posting a new ssh backdoor. Did you code this yourself?
If not, we need you to please give credit to the person who coded it.

Folks, please remember to run stuff like this in a VM and be responsible.
A computer is only as strong as its user! -R4v3n

Offline 0E 800

  • If something can corrupt you, you're corrupted already.
  • Top Hat Member
  • Elite
  • ********
  • Posts: 961
  • Internets: +154/-0
  • ??? ???????? ?s ?? ??c?c??-???
Re: Paramiko SSH backdoor
« Reply #2 on: April 13, 2015, 10:25:32 AM »
https://github.com/joridos/custom-ssh-backdoor

OP's link has typo.

Thank you for sharing bxlcity.
"He who passes not his days in the realm of dreams is the slave of the days."

ch3rn0byl

  • Guest
Re: Paramiko SSH backdoor
« Reply #3 on: April 13, 2015, 10:36:20 AM »
Why do i have a connection going to 4444??

Offline w33nd0x

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 113
  • Internets: +19/-0
Re: Paramiko SSH backdoor
« Reply #4 on: April 13, 2015, 11:10:07 AM »
Don't mean to be rude/mean but the stuff this guy posts smells incredibly dodgy to me.

Offline 0E 800

  • If something can corrupt you, you're corrupted already.
  • Top Hat Member
  • Elite
  • ********
  • Posts: 961
  • Internets: +154/-0
  • ??? ???????? ?s ?? ??c?c??-???
Re: Paramiko SSH backdoor
« Reply #5 on: April 13, 2015, 12:54:22 PM »
Sure sure. This being a White-hat inspired forum, why would any white-hat want to be crypting things like payloads and other malware?

Its kinda like a new hole in the ground big enough to fit your arm into... down into the darkness where anything could possibly bite a finger off.. but who knows what knowledge you might bring up.

A boy scout never plays with fire.
Not all of us are boy-scouts.


BTW - I have not tested em out yet. Been meaning too. Think of it as sandbox practice.
"He who passes not his days in the realm of dreams is the slave of the days."

Sm3gal

  • Guest
Re: Paramiko SSH backdoor
« Reply #6 on: April 13, 2015, 05:48:35 PM »
Don't mean to be rude/mean but the stuff this guy posts smells incredibly dodgy to me.

I agree

Offline w33nd0x

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 113
  • Internets: +19/-0
Re: Paramiko SSH backdoor
« Reply #7 on: April 14, 2015, 12:40:28 AM »
Sure sure. This being a White-hat inspired forum, why would any white-hat want to be crypting things like payloads and other malware?

Its kinda like a new hole in the ground big enough to fit your arm into... down into the darkness where anything could possibly bite a finger off.. but who knows what knowledge you might bring up.

A boy scout never plays with fire.
Not all of us are boy-scouts.

BTW - I have not tested em out yet. Been meaning too. Think of it as sandbox practice.

Haha what??? Not sure what that post means, but if it's a dig at me I certainly don't have anything against blackhat orientated stuff, quite the opposite in fact, just thought this guy's posts seem a little off, they might be fine by all means, just thought I'd air a little caution out there.

As you say, good sandbox, RE practice if nothing else :)

Offline 0E 800

  • If something can corrupt you, you're corrupted already.
  • Top Hat Member
  • Elite
  • ********
  • Posts: 961
  • Internets: +154/-0
  • ??? ???????? ?s ?? ??c?c??-???
Re: Paramiko SSH backdoor
« Reply #8 on: April 14, 2015, 09:27:46 AM »
Apologies if that came out wrong, it was just a blanket statement towards members that cry wolf at malware tools. Kind of makes the forum seem like a bunch of diaper wearing babies.

I would appreciate it if people would use the 'Report to Moderator' function instead of expressing their paranoid thoughts.

A new member comes to share his tools, and people up their post count by nay-saying his contribution. Just boggles the mind.
"He who passes not his days in the realm of dreams is the slave of the days."

Online Gingerbread Man

  • *High Tech Low-life*
  • Administrator
  • Elite
  • *****
  • Posts: 938
  • Internets: +93/-0
Re: Paramiko SSH backdoor
« Reply #9 on: April 14, 2015, 11:30:30 AM »
I hate to be the stick in the mud...

But the posting of "mysterious" tools with no explanation as to what they do, or any documentation on their use is counter productive IMO. There are PLENTY of places out there for folks who are looking to download and use tools for which they have no understanding of the inner workings. THS is not one of them (from my understanding). Skids work that way, not EMPLOYABLE pentesters. This has ALWAYS been the unspoken goal of THS...To help us all help each other become real infosec professionals. With salaries and pensions and job security. For those without the financial or geographic means...THS is meant to help bridge the gap...

If you want to cover some new crypter (or better yet obfuscation methodology) that is fine...If you want to show us your new way of making Apache do your bidding, or the script that makes IIS freeze up  every time, thats great...but take it apart, show us what you have done with it. Mindlessly posting script after script, or worse yet EXECUTABLE after executable only increases the attack surface of the members here.

The endless race to post the most l33t warez has destroyed many would be "hacker" boards.

By encouraging this we are helping foster an environment that does virtually nothing to assist in the education of our members, and instead sets them up to be successively exploited by one another as their skill sets stratify and the more experienced pick the low-hanging fruit.

Offline 0E 800

  • If something can corrupt you, you're corrupted already.
  • Top Hat Member
  • Elite
  • ********
  • Posts: 961
  • Internets: +154/-0
  • ??? ???????? ?s ?? ??c?c??-???
Re: Paramiko SSH backdoor
« Reply #10 on: April 14, 2015, 11:55:33 AM »
I agree to disagree. I like fireworks. I like spice. I would rather test a cryptor on THS than from a torrent.

This particular post is not even a tool he created, he just sharing a link.

Not all of us have the best forum etiquette and is something that over time becomes honed.

Not all of us have the same american bed side manner either.

We should give the benefit of doubt. No one has even tested his contributions to be judging them.

Maybe if we were not so biased, the (would be) member would have shared with us how he goes about doing it.

I am not a professional and I do no work for THS, this is just my opinion. It may be that I am mistaken and did not fully read THS's terms and conditions.
"He who passes not his days in the realm of dreams is the slave of the days."

Online Gingerbread Man

  • *High Tech Low-life*
  • Administrator
  • Elite
  • *****
  • Posts: 938
  • Internets: +93/-0
Re: Paramiko SSH backdoor
« Reply #11 on: April 14, 2015, 01:11:27 PM »
The risks that are appropriate for an individual are not necessarily those that are appropriate for an organization. And in infosec there is no benefit of the doubt. There are old hackers and there are bold hackers...But living by the seat of your pants is a sure fire way to become someones bot. You have to remember, YOU may not be the target...your employer...your clients...your university...shit even your network/bandwidth...just because YOU have nothing to lose does not mean you cannot be used as a means to an end...

The membership of THS is predominately people fairly new to the scene. When they come here and see some tool that is put here for "testing" they will naturally be curious. Now I understand caveat emptor is the motto of the day...but there is an implicit trust put in THS/Galaxy/R4v3n/All of us when they come to this board. New folks do not have the experience to differentiate the shadey tools from some industry-standard framework. If they are constantsly walking through a mine field then there is little time for exploration...

I am not in any way suggesting we put on kid gloves and ban people from posting tools they have created or used...But posts like "Super Anon Fud Cripto v666 binder...Totally clean I promise" just lower the bar and put folks at risk...Even "blackhat" tools often can and do have a use on a legitimate pentest...no category should be  of limits...DDOS, Ransomeware, crypters...bring it on...But understand what you are doing...Legitimate infosec professionals do not use tools and techniques they do not understand...and there is little educational benefit to using code and carrying out attacks that you have no idea how they work...There can be criminal gain...ego boost...but you will never land a job just popping boxes...nor will you ever get past that point...it takes a different approach...obvious skiddy point-and-hack tools are not in line with the aim and goals of THS

I am suggesting however, that if you cannot even explain what the tool is, how it works, where you got it, or who wrote it then we are better off without it. I think there are precious few of us here who have the knowledge to use DDOS tools/Binders/RATs and the like yet ONLY frequent THS for their haxzor fix...We have places for the wild-wild-west, anything goes attitude...I dare say this is not one of them.

Again...Nothing (attack wise) off limits...The only stipulations are: Have permission, and understand what you are doing.

This "lookie-lookie at what I got" quickly turns into infighting and exploitation...I have seen it happen again and again...Look at EVO for christs sake...Wannabe hackers and guys "transitioning" into a security role are some of the best targets...The former deeply under the subtle and enigmatic intoxication of the Dunning-Krueger effect...and the latter with just enough knowledge and curiosity to be dangerous...a decent sized fish in his pond...but just a guppy out in the open waters...
« Last Edit: April 14, 2015, 01:14:05 PM by Gingerbread Man »

Offline 0E 800

  • If something can corrupt you, you're corrupted already.
  • Top Hat Member
  • Elite
  • ********
  • Posts: 961
  • Internets: +154/-0
  • ??? ???????? ?s ?? ??c?c??-???
Re: Paramiko SSH backdoor
« Reply #12 on: April 14, 2015, 01:39:01 PM »
Well put Gingerbread Man. I agree wholeheartedly about keeping THS a trusted member community. I am speaking specifically towards our methods of communicating that to a new member who does not speak native english and could be with all sincere intentions just being himself, trying to fit in and show off his work.

If you scroll up you will see (in typical fashion) a post from ch3rn0byl "Why do i have a connection going to 4444??"

To me, I think its ch3rn0byl being funny, scaring off those who have no clue why a port would be open. If you look at the github account you see its a ssh backdoor.

IMO this one comment by ch3rn is what made us all hijack this thread with our opinions.

I just wish that people would post 'content related to post' and less about their gut feelings.

"He who passes not his days in the realm of dreams is the slave of the days."

Online Gingerbread Man

  • *High Tech Low-life*
  • Administrator
  • Elite
  • *****
  • Posts: 938
  • Internets: +93/-0
Re: Paramiko SSH backdoor
« Reply #13 on: April 14, 2015, 01:42:08 PM »
... I am speaking specifically towards our methods of communicating that to a new member who does not speak native English and could be with all sincere intentions just being himself, trying to fit in and show off his work...

I could not agree more brother. We need to address situations like this one for future reference...this will come up again.

Offline ZEROF

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 225
  • Internets: +45/-1
    • Pentester
Re: Paramiko SSH backdoor
« Reply #14 on: April 15, 2015, 12:18:32 AM »
It's very important to check code before using. Kind of reverse engineering :)

1. This is backdoor (if we can call this backdoor), not brutal force tool
2. You need some coding skills to edit this script

What you need to replace:

https://github.com/joridos/custom-ssh-backdoor/blob/master/server.py

Replace path for key to match your system:

host_key = paramiko.RSAKey(filename='/home/joridos/custom-ssh-backdoor/test_rsa.key')

Replace user name password with one you will use:

if (username == 'joridos') and (password == 'olh234'):

Replace rsa key in :

https://github.com/joridos/custom-ssh-backdoor/blob/master/test_rsa.key

With your key.

On both files server.py and client.py you need to edit server IP as well to match them with real life IP's.

This tool use same system as ansible, server administration tool, and it's nothing new. You need first exploited ssh server then you can use this to have open ports for login. Key is used for server login, and user and password is to protect other people to use your lol, backdoor.

For me this is not hacking tool, this is sys administration tool with sexy usage/name. This tool don't have any sign of backoor, you can use it after editing code on your side, if not you will open door for this dude and his log in credentials :).
« Last Edit: April 15, 2015, 12:38:04 AM by ZEROF »