Full Disclosure mailing list archives

Re: Modifying SSH to Capture Login Credentials from Attackers

From: Kurth Bemis <kurth.bemis () gmail com>
Date: Tue, 29 Sep 2009 18:01:22 -0400

Very nice.  Thank you for the clarification.

~k

On Tue, 2009-09-29 at 14:58 -0700, my.hndl wrote:

The standard logs don't record attempted passwords.  On my post I
explained how this could very easily lead to privilege escalation:

"For obvious reasons, openssh and others never log incorrect passwords
(a mistype of your password would get winblowz logged when you meant
winblows…such logging would make it trivial to escalate privilege)."

All standard users have read access to /var/log/auth, so if root
mistyped their password, they could easily escalate by guessing what
root meant.


On Tue, Sep 29, 2009 at 12:58 PM, Kurth Bemis <kurth.bemis () gmail com>
wrote:
        Aren't all auth failures stored in /var/log/auth (or something
        similar)?
        and won't most log-watching and reporting packages report
        failed login
        attempts already?
        
        ~k
        
        On Tue, 2009-09-29 at 12:25 -0700, my.hndl wrote:
        > If you've ever had your SSH server dictionary attacked and
        wondered
        > what usernames / passwords the attackers were trying...
        >
        > I've posted detailed instructions on modifying openssh on
        Ubuntu 9.04
        > in order to log username / password attempts made by bots.
         This
        > information can then be used to track down the tools /
        dictionaries
        > being used against you, and may even lead to discovery of
        IRC command
        > & control channels used by the botnet herders/masters (the
        topic of my
        > next post).
        >
        > Full username / password logs included for your enjoyment:
        >
        http://paulmakowski.wordpress.com/2009/09/28/hacking-sshd-for-a-pass_file/
        >
        > Intended for novices interested in honeypots.
        
        > _______________________________________________
        > Full-Disclosure - We believe in it.
        > Charter:
        http://lists.grok.org.uk/full-disclosure-charter.html
        > Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Modifying SSH to Capture Login Credentials from Attackers my.hndl (Sep 29)
- Re: Modifying SSH to Capture Login Credentials from Attackers Kurth Bemis (Sep 29)
  - Re: Modifying SSH to Capture Login Credentials from Attackers Kos (Sep 29)
  - Re: Modifying SSH to Capture Login Credentials from Attackers my.hndl (Sep 29)
    - Re: Modifying SSH to Capture Login Credentials from Attackers Kurth Bemis (Sep 29)
    - Re: Modifying SSH to Capture Login Credentials from Attackers bodik () civ zcu cz (Sep 29)
    - Re: Modifying SSH to Capture Login Credentials from Attackers maxigas (Sep 29)
    - Re: Modifying SSH to Capture Login Credentials from Attackers Gichuki John Chuksjonia (Sep 29)
    - Re: Modifying SSH to Capture Login Credentials from Attackers jfch (Sep 29)
    - Re: Modifying SSH to Capture Login Credentials from Attackers dramacrat (Sep 29)
- Re: Modifying SSH to Capture Login Credentials from Attackers Fernando A. Lagos B. (Sep 30)