On Tue, Jan 21, 2020 at 12:18:52PM +1100, Damien Miller wrote:> I wouldn't say it's a lot harder to take control of current connections - > writing a ptrace-based tool that hijacked a running ssh client and > injected a one-off implant payload via keystrokes doesn't seem like > much work.* Injection of key strokes into an existing channel may be detected just because "hey, I didn't type foobar" so why is it on my screen. A new shell on a different channel won't show so obviously. * That's a lot harder than just getting a whole new shell without writing any tools; just use the existing ssh command line. Tool-less compromise is a higher risk vector 'cos it's harder for monitoring tools to detect. -- rgds Stephen
Stephen Harris <lists at spuddy.org> schrieb am Di., 21. Jan. 2020, 02:39:> On Tue, Jan 21, 2020 at 12:18:52PM +1100, Damien Miller wrote: > > I wouldn't say it's a lot harder to take control of current connections - > > writing a ptrace-based tool that hijacked a running ssh client and > > injected a one-off implant payload via keystrokes doesn't seem like > > much work. > > * Injection of key strokes into an existing channel may be detected > just because "hey, I didn't type foobar" so why is it on my screen. > A new shell on a different channel won't show so obviously. >`~.` is a nice keystroke sequence to inject because it disconnects the session and you will likely not even see the input on screen. An unsuspecting victim would assume a network glitch and reconnect, yielding a new (and controllable by the attacker) session. Best, Harald PS this is veering offtopic, but a simple `Ctrl-C Ctrl-D` might be even less suspicious. Combine this with `Ctrl-S` and `Ctrl-Q` and unless you have full input stream logging you will have a lot of opportunities of messing with existing connections unnoticed.
On Tue, 21 Jan 2020, Harald Wagener wrote:> Stephen Harris <lists at spuddy.org> schrieb am Di., 21. Jan. 2020, 02:39: > > > On Tue, Jan 21, 2020 at 12:18:52PM +1100, Damien Miller wrote: > > > I wouldn't say it's a lot harder to take control of current connections - > > > writing a ptrace-based tool that hijacked a running ssh client and > > > injected a one-off implant payload via keystrokes doesn't seem like > > > much work. > > > > * Injection of key strokes into an existing channel may be detected > > just because "hey, I didn't type foobar" so why is it on my screen. > > A new shell on a different channel won't show so obviously. > > > > `~.` is a nice keystroke sequence to inject because it disconnects the > session and you will likely not even see the input on screen.Remember that the attacker is in control of the ssh process - they can simply discard returned output from the far end after they perform the injection. -d