Proof of Concept : PuttyHijack - Hijack SSH/PuTTY Sessions

PuttyHijack is a POC tool that injects a dll into the Putty process to hijack an existing, or soon to be created, connection. This can be useful during penetration tests when a windows box that has been compromised is used to SSH/Telnet into other servers.

The injected DLL installs hooks and creates a socket in guest operating system for a callback connection that is then used for input/output redirection.

PuttyHijack does not kill the current connection, and will cleanly uninject if the socket or process is stopped. Leaves no race for further analysis.

How to run/install PuttyHijack
  • Start a nc listener on some fully controlled machine.
  • Run PuttyHijack specify the listener ip and port on victime machine (Some socail engg skill may be helpfull)
  • Watch the echoing of everything including passwords (grab it for further analysis)
  • Help commands of PuttyHijack
!disco – disconnect the real putty from the display
!reco – reconnect it
!exit – just another way to exit the injected shell
Download PuttyHijack

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.