## Adam Boileau ##### Trust Transience: Post Intrusion SSH Hijacking Trust Transience: Post Intrusion SSH Hijacking explores the issues of transient trust relationships between hosts, and how to exploit them. Applying technique from anti-forensics, linux VXers, and some good-ole-fashioned blackhat creativity, a concrete example is presented in the form of a post-intrusion transparent SSH connection hijacker. The presentation covers the theory, a real world demonstration, the implementation of the SSH Hijacker with special reference to defeating forensic analysis, and everything you’ll need to go home and hijack yourself some action. **_Adam Boileau is a deathmetal listening linux hippy from_** _New Zealand. When not furiously playing air-guitar, he_ _works for linux integrator and managed security vendor_ _Asterisk in Auckland, New Zealand. Previous work has_ _placed him in ISP security, network engineering, linux_ _systems programming, corporate whore security_ _consultancy and a brief stint at the helm of a mighty_ _installation of solaris tar. Amongst his preoccupations at_ _the moment are the New Zealand Supercomputer Centre,_ _wardriving-gps-visualization software that works in the_ _southern hemisphere, and spreading debian and python_ _bigotry. Oh, and Adam’s band ‘Orafist’ needs a drummer -_ _must have own kit and transport to New Zealand._ ----- ----- **_digital self defense_** ----- **_digital self defense_** ----- **haxor:~$ nc -l -p 1337** **admin@box:~$ id** **uid=1004(admin) gid=1004(admin) groups=1004(admin)** **admin@box:~$ ps auxw | grep -q pine || echo shit** **shit** **admin@box:~$ ls core** **core** **admin@box:~$ uname -nsr** **Linux box 2.6.11** **_digital self defense_** ----- **admin@box:~$ w** **USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT** **admin pts/1 :0** **09:28 10.3m 3.1s 0.2s bash** **admin pts/2 :0 09:31 1.0s 1.4s 0.9s bash** **admin pts/3 haxor.com 14:03 0.0s 0.3s 0.3s w** **admin@box:~$ ps x** **3132 ?** **S** **0:23 xfwm4 –-daemon –sm-client-id 34235** **3590 ?** **S+** **0:05 xterm -rv** **3593 pts/1 Ss+** **0:02 bash** **3597 pts/1 S+** **0:12 ssh root@ns1.target.com** **9034 ?** **S+** **0:03 xterm -rv** **9036 pts/2** **Ss+** **0:02 bash** **9154 pts/3 R+** **0:00 ps x** ### +++ATH0 _ Things have gone pear-shaped _ Haven't got root, are about to get busted _ Time to drop carrier and run? _ But that SSH session, oh so close. _ If only there was a way to get to the other end of #### that SSH... **_digital self defense_** ----- **haxor:~$ nc -l -p 1338** **root@ns1:~# echo pwned!** **pwned!** **_digital self defense_** ----- **_digital self defense_** ----- **_digital self defense_** ----- **_digital self defense_** ----- **_digital self defense_** ----- Feasibility: 7 **_digital self defense_** Feasibility: 5 ----- Feasibility: 2 **_digital self defense_** Feasibility: 7 ----- ### Technique Comparison _ Transient trusts #### almost as much fun as the real thing (Gentlemen, as this graph clearly shows, my m4d t3kneeq is teh b3zt!) 32.5 30 |Col1|feasibility stealthy when ease| |---|---| ||| ||| 2.5 0 27.5 25 22.5 20 17.5 15 12.5 10 7.5 5 |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10| |---|---|---|---|---|---|---|---|---|---| ||||||||||| ||||||||||| ||||||||||| ||||||||||| ||||||||||| ||||||||||| ||||||||||| ||||||||||| ||||||||||| ||||||||||| ||||||||||| ||||||||||| ||||||||||| ||||||||||| **_digital self defense_** ----- **_digital self defense_** ----- **_digital self defense_** ----- **_digital self defense_** ----- **_digital self defense_** ----- **_digital self defense_** ----- **_digital self defense_** ----- **_digital self defense_** ----- **_digital self defense_** ----- **_digital self defense_** ----- **_digital self defense_** ----- **_digital self defense_** ----- **_digital self defense_** ----- **_digital self defense_** ----- **_digital self defense_** ----- **_digital self defense_** ----- **_digital self defense_** ----- **_digital self defense_** ----- **_digital self defense_** ----- **_digital self defense_** -----