Linux Backdoors
After compromising a target machine, the adversary attempts to establish persistent access. This page lists some methods of backdoors in Linux for persistence.
Last updated
After compromising a target machine, the adversary attempts to establish persistent access. This page lists some methods of backdoors in Linux for persistence.
Last updated
Add this line to /root/.bashrc or /home/<user>/.bashrc to gain access to target machine by reverse shell when the victim user logged in.
Of course we need to always open netcat listener to be able to fetch incoming connection from the target.
Add this line to the cron file like /etc/crontab in the target machine.
Create the “shell” file in local machine.
Replace <local-ip> with your ip address.
Now start local web server in local machine. Note that your current working direcotry need to be where the “shell” is located.
Once the cron job downloads the “shell” file, run “bash” command to execute the “shell”. We should gain access to the target shell.
The pam_unix.so module is likely located in /usr/lib/security or /usr/lib/x86_64-linux-gnu/security directory. It automatically detects and uses shadow passwords to authenticate users.
See this line in the pam_unix.so.
Modify this line to as below.
Whenever you login to the target system using the password “hackyou123”, you can successfully login.
Create a php file (e.g. shell.php) into /var/www/html.
Leave the php file in /var/www/html.
After that, start a listener for receiving the outcomming connection.
Now access to the web page as below.
Replace <local-ip> with your ip address.
We should get a shell.
We can establish a backdoor to allow us to be able to connect the target SSH server anytime by leaving our public key in the target machine.
First off, run the following command to generate SSH key.
It will generate two keys, private key (id_rsa) and public key (id_rsa.pub).
If there is no .ssh directory in target, we need to create it.
Then put our public key (id_rsa.pub) into /root/.ssh or /home/<user>/.ssh in the target machine.
scp command can be used for transfering it. Replace <target-user> and <target-iip> depending on your target.
Also we need to add the content of our id_rsa.pub to the target authorized_keys file.
In target machine, we need to set the right permissions of the file/directory. Otherwise we cannot connect SSH. Replace <target-user> with your target.
After that, we can connect to the target SSH when we want to connect it as long as the public key in .ssh directory is not removed. Before connecting, we need to modify the permission of our private key in local.
Now we can connect to SSH of the target.
We can use systemd as a backdoor because an arbitrary command will be executed when a service start.
The command is stored in [Services] section in the configuration file.
Create /etc/systemd/system/backdoor.service in target machine.
This service will execute reverse shell when starting.
Replace <local-ip> with your ip address.
Then enable the service.
Now this service will start when the target system boots.
We need to leave the netcat listener running in local machine.
Then we'll get a shell anytime the service starts.
