Proof of Concept : PuttyHijack - Hijack SSH/PuTTY Sessions

PuttyHijack is a POC tool that injects a dll into the Putty process to hijack an existing, or soon to be created, connection. This can be useful during penetration tests when a windows box that has been compromised is used to SSH/Telnet into other servers.

The injected DLL installs hooks and creates a socket in guest operating system for a callback connection that is then used for input/output redirection.

PuttyHijack does not kill the current connection, and will cleanly uninject if the socket or process is stopped. Leaves no race for further analysis.

How to run/install PuttyHijack
  • Start a nc listener on some fully controlled machine.
  • Run PuttyHijack specify the listener ip and port on victime machine (Some socail engg skill may be helpfull)
  • Watch the echoing of everything including passwords (grab it for further analysis)
  • Help commands of PuttyHijack
!disco – disconnect the real putty from the display
!reco – reconnect it
!exit – just another way to exit the injected shell
Download PuttyHijack

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.