RubberGlue In Action

Benjamin Donnelly //

I wanted to write a very brief blog post to demonstrate the viability of against an unsophisticated adversary.  I was granted the perfect opportunity when I noticed that one of our hosts was being attacked non-stop by a single IP address.  This attack had been targeting us quite consistently.  The attack technique appeared to be a simple ssh brute force attempt.

So, I logged in, and set the trap.

Now, before we begin let’s quickly recap what exactly RubberGlue is.  RubberGlue is a small tool I threw together not all that long ago.  It listens on a port on your machine, and redirects any traffic to that port back to the origin IP on the same port.  This is great for situations like this.  Because it means, anything the attacker does to us, he actually does to himself.

So, to start I edited the default ssh port.

This would does two things for me.  First, it brings my ssh server out of reach of such an unsophisticated adversary.  Secondarily it opens up port 22 for something else to listen on it.  (RubberGlue obviously)

Next we simply restart the ssh service, and confirm that everything has moved over successfully.

 Next I went and grabbed a copy of rubberglue from my repo on bitbucket.

We then want to start the RubberGlue listener on the targeted port.

I then went ahead and attempted an ssh connection from a second server to the first.

As you may have surmised, this connection was routed back to the second server.

To confirm this, I ran the w command.  This did confirm that my ssh was being redirected back.

As you can see, I now had two logins on the second_server.

Now all there was to do was sit back and wait.


 That didn’t take long…