Friday, June 26, 2009

Keeping ssh connections running

This week has been pretty exciting, we've had a large number of players in Round 1 of SANS's Netwars competition. The game is half Capture-the-Flag and half King-of-the-Hill shoot em' up!

One of the defensive techniques a player has been using during the game will manipulate the other player's terminals and eventually cause them to drop their connection. There are a few different techniques that will help work around that particular defense.

First, an infinite while loop will keep in you a shell (this will work
until he starts killing based on the "while")

ssh "while(true);do sh; done"

Or, you could make your own shell, either by uploading one from a
compatible box of your own or the local one (he still needs to
run commands, so there should be a shell _somewhere):

ssh "cp /bin/sh ~/.blah;~./blah"

You don't get prompts for those shells and some commands will expect
"terminal" screens, but you can still interact quite a bit more than
single ssh commands. One could step it up a bit as well and use something like this in the ssh command to make the name of the shell random:

export NEWSH="`head /dev/random|wc -c `";cp /bin/sh./".${NEWSH}";"./.${NEWSH}"

But don't forget you probably need to escape all the backticks and doublequotes.

This has been a blast, hope to post a lot more about Netwars soon.