Discussion:
Need to backdoor my own machine...
Tracy Reed
2017-01-28 05:40:31 UTC
Permalink
So I'm teaching this security class at UCSD. It just started this past
Tuesday and so far so good. They have had their first lecture and are
about to receive their first homework and quiz.

I am setting them up with virtual machines running CentOS 7. They will
be configuring and hardening these machines using what they learn in
class. I also want to get them some experience with log analysis and
intrusion detection.

I'm thinking I might want to backdoor their machines when I deploy them
so that throughout the course I can occasionally give them an "intruder"
to hunt.

Anyone have any clever ways to do this? Nothing too elaborate.

The machines will be installed via kickstart so I can drop whatever I
want into them all at that point. They will have ssh, http, and https
available publicly pointed at them through a firewall.

I'm thinking I might ship the boxes with a few different issues, like
they inherited the box from a previous admin who had already let it be
compromised.

1. I could give them a preinstalled user with a weak password (which I
know) so I can just ssh in. But one of their early tasks will be to
setup ssh with pubkey only auth. So if they accomplish the ssh config
task properly that won't work.

2. I could setup a vulnerable cgi somewhere so that when they bring
apache online and configure it I can exploit some command injection.
Dropping some extra config in /etc/httpd/conf.modules.d/00-base.conf
should be pretty simple.

3. I could have the box open an ssh out to my "command and control"
server. That might be the easiest and most flexible way. And systemd is
convoluted enough that it should make it difficult to find until I give
them a clue. But I don't have experience actually setting up such
reverse tunnels so I'll have to do some thinking on how to do this
reliably to always have a connection open.

Once in I want to leave a suspicious looking process running, modify a
file and see if they can detect it with FIM, make a bunch of noise in
the logs and see if they can detect it etc. The idea is to make the
course very hands on. It's easy enough to test if they can properly
harden the box as specified. More difficult to see if they can have
enough basic awareness and understanding to spot simple suspicious
activity.

Any other ideas that would allow me to get in using a non-obvious
method?

I think their final task will be to shutdown my non-obvious method of
access, probably with a hint given as this might be unnecessarily
tricky, and lock the intruder out of the system.

Have to be careful with this as it has to be doable and fair to
everyone. The idea isn't to trick anyone or be too sneaky. The goal is
for the student to learn something and be graded in a fair way.

And if any of my students are researching me on google or on this list
and get a leg up from this discussion, great! Intelligence
gathering/Open Source Intelligence (OSINT) is very important and you
just earned your points!
--
Tracy Reed
Nandor Szots
2017-01-28 05:57:22 UTC
Permalink
Are you going to do the reverse? Have them use various tools to exploit a
server you setup with various vulnerabilities? Perhaps using a backtrack
ISO they can boot to?
Post by Tracy Reed
So I'm teaching this security class at UCSD. It just started this past
Tuesday and so far so good. They have had their first lecture and are
about to receive their first homework and quiz.
I am setting them up with virtual machines running CentOS 7. They will
be configuring and hardening these machines using what they learn in
class. I also want to get them some experience with log analysis and
intrusion detection.
I'm thinking I might want to backdoor their machines when I deploy them
so that throughout the course I can occasionally give them an "intruder"
to hunt.
Anyone have any clever ways to do this? Nothing too elaborate.
The machines will be installed via kickstart so I can drop whatever I
want into them all at that point. They will have ssh, http, and https
available publicly pointed at them through a firewall.
I'm thinking I might ship the boxes with a few different issues, like
they inherited the box from a previous admin who had already let it be
compromised.
1. I could give them a preinstalled user with a weak password (which I
know) so I can just ssh in. But one of their early tasks will be to
setup ssh with pubkey only auth. So if they accomplish the ssh config
task properly that won't work.
2. I could setup a vulnerable cgi somewhere so that when they bring
apache online and configure it I can exploit some command injection.
Dropping some extra config in /etc/httpd/conf.modules.d/00-base.conf
should be pretty simple.
3. I could have the box open an ssh out to my "command and control"
server. That might be the easiest and most flexible way. And systemd is
convoluted enough that it should make it difficult to find until I give
them a clue. But I don't have experience actually setting up such
reverse tunnels so I'll have to do some thinking on how to do this
reliably to always have a connection open.
Once in I want to leave a suspicious looking process running, modify a
file and see if they can detect it with FIM, make a bunch of noise in
the logs and see if they can detect it etc. The idea is to make the
course very hands on. It's easy enough to test if they can properly
harden the box as specified. More difficult to see if they can have
enough basic awareness and understanding to spot simple suspicious
activity.
Any other ideas that would allow me to get in using a non-obvious
method?
I think their final task will be to shutdown my non-obvious method of
access, probably with a hint given as this might be unnecessarily
tricky, and lock the intruder out of the system.
Have to be careful with this as it has to be doable and fair to
everyone. The idea isn't to trick anyone or be too sneaky. The goal is
for the student to learn something and be graded in a fair way.
And if any of my students are researching me on google or on this list
and get a leg up from this discussion, great! Intelligence
gathering/Open Source Intelligence (OSINT) is very important and you
just earned your points!
--
Tracy Reed
--
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
Tracy Reed
2017-01-28 17:22:36 UTC
Permalink
Post by Nandor Szots
Are you going to do the reverse? Have them use various tools to exploit a
server you setup with various vulnerabilities? Perhaps using a backtrack
ISO they can boot to?
No. Penetration testing and offensive techniques are not in the
curriculum. There is no time.
--
Tracy Reed, RHCE Digital signature attached for your protection.
Copilotco PCI/HIPAA/SOX Compliant Secure Managed Hosting
866-MY-COPILOT x101 http://copilotco.com
Frank Wong
2017-01-29 03:27:07 UTC
Permalink
How about creating a bash alias of a common command like "ls" and point it
to a script that randomly executes commands like creating files in the root
or sending echo messages to the terminal?
Post by Tracy Reed
Post by Nandor Szots
Are you going to do the reverse? Have them use various tools to exploit a
server you setup with various vulnerabilities? Perhaps using a backtrack
ISO they can boot to?
No. Penetration testing and offensive techniques are not in the
curriculum. There is no time.
--
Tracy Reed, RHCE Digital signature attached for your protection.
Copilotco PCI/HIPAA/SOX Compliant Secure Managed Hosting
866-MY-COPILOT x101 http://copilotco.com
--
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
Frank Wong
2017-01-29 03:28:29 UTC
Permalink
but of course the alias has to return the results of ls... other wise it
would be too obvious
Post by Frank Wong
How about creating a bash alias of a common command like "ls" and point it
to a script that randomly executes commands like creating files in the root
or sending echo messages to the terminal?
Post by Nandor Szots
Are you going to do the reverse? Have them use various tools to exploit a
server you setup with various vulnerabilities? Perhaps using a backtrack
ISO they can boot to?
No. Penetration testing and offensive techniques are not in the
curriculum. There is no time.
--
Tracy Reed, RHCE Digital signature attached for your protection.
Copilotco PCI/HIPAA/SOX Compliant Secure Managed Hosting
866-MY-COPILOT x101 http://copilotco.com
--
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
Urivan Flores-Saaib
2017-01-28 09:17:57 UTC
Permalink
Hi Tracy,

What about a small bade64 encoded script that is executed by way of a
modified 'at' script that then calls an SRV record from DNS to download
a script which is then executed locally?. You activate the SRV record
only when you want the script to take action. You can update the script
remotely at your own peace.

Regards,

---
-Urivan
Post by Tracy Reed
So I'm teaching this security class at UCSD. It just started this past
Tuesday and so far so good. They have had their first lecture and are
about to receive their first homework and quiz.
I am setting them up with virtual machines running CentOS 7. They will
be configuring and hardening these machines using what they learn in
class. I also want to get them some experience with log analysis and
intrusion detection.
I'm thinking I might want to backdoor their machines when I deploy them
so that throughout the course I can occasionally give them an
"intruder"
to hunt.
Anyone have any clever ways to do this? Nothing too elaborate.
The machines will be installed via kickstart so I can drop whatever I
want into them all at that point. They will have ssh, http, and https
available publicly pointed at them through a firewall.
I'm thinking I might ship the boxes with a few different issues, like
they inherited the box from a previous admin who had already let it be
compromised.
1. I could give them a preinstalled user with a weak password (which I
know) so I can just ssh in. But one of their early tasks will be to
setup ssh with pubkey only auth. So if they accomplish the ssh config
task properly that won't work.
2. I could setup a vulnerable cgi somewhere so that when they bring
apache online and configure it I can exploit some command injection.
Dropping some extra config in /etc/httpd/conf.modules.d/00-base.conf
should be pretty simple.
3. I could have the box open an ssh out to my "command and control"
server. That might be the easiest and most flexible way. And systemd is
convoluted enough that it should make it difficult to find until I give
them a clue. But I don't have experience actually setting up such
reverse tunnels so I'll have to do some thinking on how to do this
reliably to always have a connection open.
Once in I want to leave a suspicious looking process running, modify a
file and see if they can detect it with FIM, make a bunch of noise in
the logs and see if they can detect it etc. The idea is to make the
course very hands on. It's easy enough to test if they can properly
harden the box as specified. More difficult to see if they can have
enough basic awareness and understanding to spot simple suspicious
activity.
Any other ideas that would allow me to get in using a non-obvious
method?
I think their final task will be to shutdown my non-obvious method of
access, probably with a hint given as this might be unnecessarily
tricky, and lock the intruder out of the system.
Have to be careful with this as it has to be doable and fair to
everyone. The idea isn't to trick anyone or be too sneaky. The goal is
for the student to learn something and be graded in a fair way.
And if any of my students are researching me on google or on this list
and get a leg up from this discussion, great! Intelligence
gathering/Open Source Intelligence (OSINT) is very important and you
just earned your points!
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
Brad Beyenhof
2017-01-28 14:28:19 UTC
Permalink
Maybe a compromised sshd that has a hard-coded password to get in as root? I saw that once in a security exercise; if the students figure it out and install the regular openssh-server RPM, they deserve to be left alone. Or maybe a hacked PAM?
--
Brad Beyenhof . . . . . . . . . . . . . . . . http://augmentedfourth.com
Every man takes the limits of his own field of vision for the limits
of the world.
~ Arthur Schopenhauer, German philosopher (1788-1860)
Post by Tracy Reed
So I'm teaching this security class at UCSD. It just started this past
Tuesday and so far so good. They have had their first lecture and are
about to receive their first homework and quiz.
I am setting them up with virtual machines running CentOS 7. They will
be configuring and hardening these machines using what they learn in
class. I also want to get them some experience with log analysis and
intrusion detection.
I'm thinking I might want to backdoor their machines when I deploy them
so that throughout the course I can occasionally give them an "intruder"
to hunt.
Anyone have any clever ways to do this? Nothing too elaborate.
The machines will be installed via kickstart so I can drop whatever I
want into them all at that point. They will have ssh, http, and https
available publicly pointed at them through a firewall.
I'm thinking I might ship the boxes with a few different issues, like
they inherited the box from a previous admin who had already let it be
compromised.
1. I could give them a preinstalled user with a weak password (which I
know) so I can just ssh in. But one of their early tasks will be to
setup ssh with pubkey only auth. So if they accomplish the ssh config
task properly that won't work.
2. I could setup a vulnerable cgi somewhere so that when they bring
apache online and configure it I can exploit some command injection.
Dropping some extra config in /etc/httpd/conf.modules.d/00-base.conf
should be pretty simple.
3. I could have the box open an ssh out to my "command and control"
server. That might be the easiest and most flexible way. And systemd is
convoluted enough that it should make it difficult to find until I give
them a clue. But I don't have experience actually setting up such
reverse tunnels so I'll have to do some thinking on how to do this
reliably to always have a connection open.
Once in I want to leave a suspicious looking process running, modify a
file and see if they can detect it with FIM, make a bunch of noise in
the logs and see if they can detect it etc. The idea is to make the
course very hands on. It's easy enough to test if they can properly
harden the box as specified. More difficult to see if they can have
enough basic awareness and understanding to spot simple suspicious
activity.
Any other ideas that would allow me to get in using a non-obvious
method?
I think their final task will be to shutdown my non-obvious method of
access, probably with a hint given as this might be unnecessarily
tricky, and lock the intruder out of the system.
Have to be careful with this as it has to be doable and fair to
everyone. The idea isn't to trick anyone or be too sneaky. The goal is
for the student to learn something and be graded in a fair way.
And if any of my students are researching me on google or on this list
and get a leg up from this discussion, great! Intelligence
gathering/Open Source Intelligence (OSINT) is very important and you
just earned your points!
--
Tracy Reed
--
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
Kevin Keane Subscription
2017-01-29 06:16:51 UTC
Permalink
You could create a user account with a non-standard home directory and disguise it as a service account. Then add your SSH public key to that account.

For instance:

First, make sure you already have a user with the UID of 1000 or higher. If you don't, your backdoor may be much easier to spot.

Change UID_MIN to 250 in /etc/logins.defs and set SYS_UID_MAX to 249. Do the same with GID_MIN and SYS_GID_MAX.

groupadd -g 259 postfix-mailer
useradd -d /var/lib/postfix -u 259 -g 259 -M -s /bin/bash postfix-mailer

The new account should have a UID and GID of 259, so it will look to a casual observer like a system account, but it actually is an ordinary user account. The legitimate postfix account is "postfix" and uses the home directory /var/spool/postfix.

Then add your .ssh/authorized_keys to /var/lib/postfix directory, adjust the permissions and ownership etc.

You could also set the shell to /sbin/nologin to make it look even more authentic, but I'm not sure if there is a way to override that from the SSH client.

BTW, your students can easily defeat this, or any SSH-based backdoor, with an AllowUsers entry in /etc/ssh/sshd_config.

Kevin Keane
Whom the IT Pros Call
The NetTech
760-721-8339
http://www.4nettech.com
Our values: Privacy, Liberty, Justice
See https://www.4nettech.com/corp/the-nettech-values.html

-----Original message-----
Sent: Friday, January 27, 2017 9:41 PM
Subject: Need to backdoor my own machine...
So I'm teaching this security class at UCSD. It just started this past
Tuesday and so far so good. They have had their first lecture and are
about to receive their first homework and quiz.
I am setting them up with virtual machines running CentOS 7. They will
be configuring and hardening these machines using what they learn in
class. I also want to get them some experience with log analysis and
intrusion detection.
I'm thinking I might want to backdoor their machines when I deploy them
so that throughout the course I can occasionally give them an "intruder"
to hunt.
Anyone have any clever ways to do this? Nothing too elaborate.
The machines will be installed via kickstart so I can drop whatever I
want into them all at that point. They will have ssh, http, and https
available publicly pointed at them through a firewall.
I'm thinking I might ship the boxes with a few different issues, like
they inherited the box from a previous admin who had already let it be
compromised.
1. I could give them a preinstalled user with a weak password (which I
know) so I can just ssh in. But one of their early tasks will be to
setup ssh with pubkey only auth. So if they accomplish the ssh config
task properly that won't work.
2. I could setup a vulnerable cgi somewhere so that when they bring
apache online and configure it I can exploit some command injection.
Dropping some extra config in /etc/httpd/conf.modules.d/00-base.conf
should be pretty simple.
3. I could have the box open an ssh out to my "command and control"
server. That might be the easiest and most flexible way. And systemd is
convoluted enough that it should make it difficult to find until I give
them a clue. But I don't have experience actually setting up such
reverse tunnels so I'll have to do some thinking on how to do this
reliably to always have a connection open.
Once in I want to leave a suspicious looking process running, modify a
file and see if they can detect it with FIM, make a bunch of noise in
the logs and see if they can detect it etc. The idea is to make the
course very hands on. It's easy enough to test if they can properly
harden the box as specified. More difficult to see if they can have
enough basic awareness and understanding to spot simple suspicious
activity.
Any other ideas that would allow me to get in using a non-obvious
method?
I think their final task will be to shutdown my non-obvious method of
access, probably with a hint given as this might be unnecessarily
tricky, and lock the intruder out of the system.
Have to be careful with this as it has to be doable and fair to
everyone. The idea isn't to trick anyone or be too sneaky. The goal is
for the student to learn something and be graded in a fair way.
And if any of my students are researching me on google or on this list
and get a leg up from this discussion, great! Intelligence
gathering/Open Source Intelligence (OSINT) is very important and you
just earned your points!
--
Tracy Reed
--
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
Andrew P. Lentvorski
2017-02-02 21:17:25 UTC
Permalink
How about just simply running a telnetd or an rlogind (or both)?

Those are now old enough and obscure enough that I doubt they would find it.

And, it's a good lesson since those daemons really need to be turned off
anyhow.

-a
Post by Tracy Reed
So I'm teaching this security class at UCSD. It just started this past
Tuesday and so far so good. They have had their first lecture and are
about to receive their first homework and quiz.
I am setting them up with virtual machines running CentOS 7. They will
be configuring and hardening these machines using what they learn in
class. I also want to get them some experience with log analysis and
intrusion detection.
I'm thinking I might want to backdoor their machines when I deploy them
so that throughout the course I can occasionally give them an "intruder"
to hunt.
Anyone have any clever ways to do this? Nothing too elaborate.
The machines will be installed via kickstart so I can drop whatever I
want into them all at that point. They will have ssh, http, and https
available publicly pointed at them through a firewall.
I'm thinking I might ship the boxes with a few different issues, like
they inherited the box from a previous admin who had already let it be
compromised.
1. I could give them a preinstalled user with a weak password (which I
know) so I can just ssh in. But one of their early tasks will be to
setup ssh with pubkey only auth. So if they accomplish the ssh config
task properly that won't work.
2. I could setup a vulnerable cgi somewhere so that when they bring
apache online and configure it I can exploit some command injection.
Dropping some extra config in /etc/httpd/conf.modules.d/00-base.conf
should be pretty simple.
3. I could have the box open an ssh out to my "command and control"
server. That might be the easiest and most flexible way. And systemd is
convoluted enough that it should make it difficult to find until I give
them a clue. But I don't have experience actually setting up such
reverse tunnels so I'll have to do some thinking on how to do this
reliably to always have a connection open.
Once in I want to leave a suspicious looking process running, modify a
file and see if they can detect it with FIM, make a bunch of noise in
the logs and see if they can detect it etc. The idea is to make the
course very hands on. It's easy enough to test if they can properly
harden the box as specified. More difficult to see if they can have
enough basic awareness and understanding to spot simple suspicious
activity.
Any other ideas that would allow me to get in using a non-obvious
method?
I think their final task will be to shutdown my non-obvious method of
access, probably with a hint given as this might be unnecessarily
tricky, and lock the intruder out of the system.
Have to be careful with this as it has to be doable and fair to
everyone. The idea isn't to trick anyone or be too sneaky. The goal is
for the student to learn something and be graded in a fair way.
And if any of my students are researching me on google or on this list
and get a leg up from this discussion, great! Intelligence
gathering/Open Source Intelligence (OSINT) is very important and you
just earned your points!
--
KPLUG-***@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
Loading...