Penetration Testing mailing list archives
RE: Keystroke logging with strace (no setup required)
From: "Lachniet, Mark" <mlachniet () sequoianet com>
Date: Tue, 12 Jul 2005 12:59:58 -0400
Apparently Tom's original message never made it to the list, but I think
this is well worth the bandwidth to share. Tom wrote a quick Perl
script to parse the output from strace, so you could use the method I
described a little (lot) more conveniently. I haven't tested it but it
looks pretty straight forward. Sorry bout the line breaks but I didn't
want to send an attachment.
Mark Lachniet
---------snip-----------------
#!/usr/bin/perl -w
#
# Monitoring a user's shellcommands by using strace and displaying and
cleaning up the read() syscalls
# Based on the tip posted to secfocus by Mark Lachniet, written by Tom
Van de Wiele.
#
# To be used on a logfile or in real-time (as fast as /usr/bin/script
logs to file that is) like this:
#
# # script /tmp/what_is_user_foo_doing.log
# Script started, file is /tmp/what_is_user_foo_doing.log
# # strace -p <PID of shell of user>
#
# Using a different terminal at the same time:
# # perl strace_clean.pl /tmp/what_is_user_doing.log
#
#
use strict; # hi Kris :)
my $char;
open (F, "tail -f $ARGV[0] |");
while (<F>) {
next if !/^read/;
next if /^$/;
if (/^read\(0,\s\"(.*)\".*/) {
$char = $1;
if ($char =~ /\\r/) {
print "\n";
}
elsif ($char =~ /\\177/) {
print "\b";
}
elsif ($char =~ /\\t/) {
print "<TAB>";
}
else {
print $char;
}
}
}
# EOF
-----Original Message----- From: Tom Van de Wiele [mailto:tom.vandewiele () gmail com] Sent: Friday, July 08, 2005 10:18 PM To: Lachniet, Mark Cc: pen-test () securityfocus com Subject: Re: Keystroke logging with strace (no setup required) Hi Included is a quick hack to filter the strace output and reassemble the commands with limited backspace and tab handling in real-time (not as you would think). Its rough but it does the job. Cheers Tom -- Tom Van de Wiele, CISSP Security Engineer UNISKILL nv http://www.uniskill.com tom.van.de.wiele {A} uniskill.com On 7/7/05, Lachniet, Mark <mlachniet () sequoianet com> wrote:It is far from convenient, but you can use the stracecommand to monitorall of the keystrokes of any shell on a box where you have root. For example 'strace /bin/sh' then you will see the programbehavior,including text like the following: read(0, "a", 1) = 1 write(2, "a", 1a) = 1 rt_sigprocmask(SIG_BLOCK, NULL, [RTMIN], 8) = 0 read(0, "b", 1) = 1 write(2, "b", 1b) = 1 rt_sigprocmask(SIG_BLOCK, NULL, [RTMIN], 8) = 0 read(0, "c", 1) = 1 write(2, "c", 1c) = 1 rt_sigprocmask(SIG_BLOCK, NULL, [RTMIN], 8) = 0 You could then run a grep command on the output to filter only those lines that contain "read", use some sed and columnbreaking, and write ascript to output the text as a log. This is a handy way of tracking what hackers are doing on abox withoutany previous setup of a logger. You can also use strace to trace an existing process that you didn't spawn yourself using the -p <pid> option Mark Lachniet-----Original Message----- From: Chuck [mailto:chuck.lists () gmail com] Sent: Wednesday, July 06, 2005 5:11 PM To: pen-test () securityfocus com Subject: Re: Keystroke logging The approach that I use is to set my bash prompt to include the time and date and then run everything in a screen session. Screen has the ability to log everything typed on command lines and all output using it's -L command line option. I really like having the output along with the commands typed, the log is handy to refer to when writing up findings. You also get the added ability of being able to detach from a long running command without killing it. Screen won't record what happens within a vi session (or other interactive console program), but if I edit a file, I just cat it afterwards so that the edited version is included in the log. I do the same thing with any files full of IPs to scan, shell scripts, and the like. Chuck On 7/1/05, Aaron J. Bedra <abedra () westervillelibrary org> wrote:Something to think of, Yes, most shells have keylogging built in, but mostpen-test reportsrequire you to not only provide keylogging, but also timestamps (depending on where you are working, sometimes in UTCformat), or theyare not accepted as real logs. Aaron J. Bedra On Fri, 2005-07-01 at 11:41 +0200, Guillaume Vissian wrote:Be carefull the history logs only show the commoncommands input onthe shell, this didn't show everything wrappen on it. Only keyloggers can do that. If history remember all it wouldbe a majorsecurity failure... For example with shells history logsyou can'tsee the vim editing sequences, and for sure thepassword entries.And the real, and only for me, utility of a keylogger isto log thoses pass entries.A good keylogger have to, in my mind, be directlyimplanted in thekernel, the shells let to much ways to escape from the logs... A way to search : http://linux.ittoolbox.com/documents/document.asp?i=2284 Google is your friend G. 2005/7/1, Joshua Hamor <josh () cnemedia com>:Agreed. Most modern shells have history logs. Youshould be ableto save this text file for your tests. -J also Jeff Miller wrote:I've used bash shell logging before for similarsituations.just grab the source and compile with thesyslogging option.On Jun 30, 2005, at 2:36 PM, JB wrote:I'm wondering if anyone has either a kernellevel keystrokelogger for the Linux 2.6, or a userspace keystrokelogger forLinux. As part of our penetration testing, we arerequired togive the client a log of all actions performed - sothis wouldbe a good way of logging all linux commands. Also -if you knowof the same sort of tool for windows - thatwould also beappreciated. -J
Current thread:
- Keystroke logging with strace (no setup required) Lachniet, Mark (Jul 07)
- <Possible follow-ups>
- RE: Keystroke logging with strace (no setup required) Lachniet, Mark (Jul 12)
- Re: Keystroke logging with strace (no setup required) rootsuid (Jul 12)
- Re: Keystroke logging with strace (no setup required) Can't dig that daddy (Jul 18)