Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers
Same here. RHEL doesn't even have /var/log/auth. We call it /var/log/secure - which is 0600: -rw--- 1 root root 509 Oct 1 09:37 secure - Original Message - From: bo...@civ.zcu.cz bo...@civ.zcu.cz To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers Date: Wed, 30 Sep 2009 00:03:51 +0200 All standard users have read access to /var/log/auth, so if root they shouldn't, at least on my default debian they don't ... b ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ___ Surf the Web in a faster, safer and easier way: Download Opera 9 at http://www.opera.com Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers
Follow up posted, which includes: - analysis of some tools most likely used against me - information on an operator of a botnet very similar to the one that was attacking me - code samples, screenshots, etc. http://paulmakowski.wordpress.com/2009/09/30/from-pass_file-to-script-kiddies/ On Tue, Sep 29, 2009 at 12:25 PM, my.hndl my.h...@gmail.com wrote: If you've ever had your SSH server dictionary attacked and wondered what usernames / passwords the attackers were trying... I've posted detailed instructions on modifying openssh on Ubuntu 9.04 in order to log username / password attempts made by bots. This information can then be used to track down the tools / dictionaries being used against you, and may even lead to discovery of IRC command control channels used by the botnet herders/masters (the topic of my next post). Full username / password logs included for your enjoyment: http://paulmakowski.wordpress.com/2009/09/28/hacking-sshd-for-a-pass_file/ Intended for novices interested in honeypots. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers
All standard users have read access to /var/log/auth, so if root they shouldn't, at least on my default debian they don't ... b Even the (local) root shouldn't know the passwords of the users. They often uses it on other systems JFCh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers
yes yes, the local root shouldn't know the passwords of the users just like the users shouldn't reuse passwords. But we're meant to be dealing with the real world, right? 2009/9/30 j...@jagda.eu All standard users have read access to /var/log/auth, so if root they shouldn't, at least on my default debian they don't ... b Even the (local) root shouldn't know the passwords of the users. They often uses it on other systems JFCh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 my.hndl wrote: If you've ever had your SSH server dictionary attacked and wondered what usernames / passwords the attackers were trying... I've posted detailed instructions on modifying openssh on Ubuntu 9.04 in order to log username / password attempts made by bots. This information can then be used to track down the tools / dictionaries being used against you, and may even lead to discovery of IRC command control channels used by the botnet herders/masters (the topic of my next post). Full username / password logs included for your enjoyment: http://paulmakowski.wordpress.com/2009/09/28/hacking-sshd-for-a-pass_file/ Exists a PAM module exploit/utility to save the typed passwords via ssh, normal login, etc. Intended for novices interested in honeypots. - -- Fernando A. Lagos Berardi - Zerial Desarrollador y Programador Web Seguridad Informatica Linux User #382319 Blog: http://blog.zerial.org Skype: erzerial Jabber: zer...@jabberes.org GTalk MSN: ferna...@zerial.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrDdU8ACgkQIP17Kywx9JRbtgCZAfXuMqNhJoUHodwsbo0Fi7N9 /V4AnRqg8R/tDVs0Tt1v9PerQlPrGzw1 =mFb4 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers
If you've ever had your SSH server dictionary attacked and wondered what usernames / passwords the attackers were trying... I've posted detailed instructions on modifying openssh on Ubuntu 9.04 in order to log username / password attempts made by bots. This information can then be used to track down the tools / dictionaries being used against you, and may even lead to discovery of IRC command control channels used by the botnet herders/masters (the topic of my next post). Full username / password logs included for your enjoyment: http://paulmakowski.wordpress.com/2009/09/28/hacking-sshd-for-a-pass_file/ Intended for novices interested in honeypots. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers
Aren't all auth failures stored in /var/log/auth (or something similar)? and won't most log-watching and reporting packages report failed login attempts already? ~k On Tue, 2009-09-29 at 12:25 -0700, my.hndl wrote: If you've ever had your SSH server dictionary attacked and wondered what usernames / passwords the attackers were trying... I've posted detailed instructions on modifying openssh on Ubuntu 9.04 in order to log username / password attempts made by bots. This information can then be used to track down the tools / dictionaries being used against you, and may even lead to discovery of IRC command control channels used by the botnet herders/masters (the topic of my next post). Full username / password logs included for your enjoyment: http://paulmakowski.wordpress.com/2009/09/28/hacking-sshd-for-a-pass_file/ Intended for novices interested in honeypots. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers
The standard log files won't record passwords, though. Kos On Sep 29, 2009, at 12:58 PM, Kurth Bemis kurth.be...@gmail.com wrote: Aren't all auth failures stored in /var/log/auth (or something similar)? and won't most log-watching and reporting packages report failed login attempts already? ~k On Tue, 2009-09-29 at 12:25 -0700, my.hndl wrote: If you've ever had your SSH server dictionary attacked and wondered what usernames / passwords the attackers were trying... I've posted detailed instructions on modifying openssh on Ubuntu 9.04 in order to log username / password attempts made by bots. This information can then be used to track down the tools / dictionaries being used against you, and may even lead to discovery of IRC command control channels used by the botnet herders/masters (the topic of my next post). Full username / password logs included for your enjoyment: http://paulmakowski.wordpress.com/2009/09/28/hacking-sshd-for-a-pass_file/ Intended for novices interested in honeypots. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers
The standard logs don't record attempted passwords. On my post I explained how this could very easily lead to privilege escalation: For obvious reasons, openssh and others never log incorrect passwords (a mistype of your password would get *winblowz* logged when you meant * winblows*…such logging would make it trivial to escalate privilege). All standard users have read access to /var/log/auth, so if root mistyped their password, they could easily escalate by guessing what root meant. On Tue, Sep 29, 2009 at 12:58 PM, Kurth Bemis kurth.be...@gmail.com wrote: Aren't all auth failures stored in /var/log/auth (or something similar)? and won't most log-watching and reporting packages report failed login attempts already? ~k On Tue, 2009-09-29 at 12:25 -0700, my.hndl wrote: If you've ever had your SSH server dictionary attacked and wondered what usernames / passwords the attackers were trying... I've posted detailed instructions on modifying openssh on Ubuntu 9.04 in order to log username / password attempts made by bots. This information can then be used to track down the tools / dictionaries being used against you, and may even lead to discovery of IRC command control channels used by the botnet herders/masters (the topic of my next post). Full username / password logs included for your enjoyment: http://paulmakowski.wordpress.com/2009/09/28/hacking-sshd-for-a-pass_file/ Intended for novices interested in honeypots. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers
Very nice. Thank you for the clarification. ~k On Tue, 2009-09-29 at 14:58 -0700, my.hndl wrote: The standard logs don't record attempted passwords. On my post I explained how this could very easily lead to privilege escalation: For obvious reasons, openssh and others never log incorrect passwords (a mistype of your password would get winblowz logged when you meant winblows…such logging would make it trivial to escalate privilege). All standard users have read access to /var/log/auth, so if root mistyped their password, they could easily escalate by guessing what root meant. On Tue, Sep 29, 2009 at 12:58 PM, Kurth Bemis kurth.be...@gmail.com wrote: Aren't all auth failures stored in /var/log/auth (or something similar)? and won't most log-watching and reporting packages report failed login attempts already? ~k On Tue, 2009-09-29 at 12:25 -0700, my.hndl wrote: If you've ever had your SSH server dictionary attacked and wondered what usernames / passwords the attackers were trying... I've posted detailed instructions on modifying openssh on Ubuntu 9.04 in order to log username / password attempts made by bots. This information can then be used to track down the tools / dictionaries being used against you, and may even lead to discovery of IRC command control channels used by the botnet herders/masters (the topic of my next post). Full username / password logs included for your enjoyment: http://paulmakowski.wordpress.com/2009/09/28/hacking-sshd-for-a-pass_file/ Intended for novices interested in honeypots. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers
All standard users have read access to /var/log/auth, so if root they shouldn't, at least on my default debian they don't ... b ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers
Thank you for this my.hndl. There are some issues i have been having and seems your methodology may work on Fedora and others OSs. Thankx ./Chuks On 9/30/09, maxigas maxi...@anargeek.net wrote: From: bo...@civ.zcu.cz bo...@civ.zcu.cz Subject: Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers Date: Wed, 30 Sep 2009 00:03:51 +0200 All standard users have read access to /var/log/auth, so if root they shouldn't, at least on my default debian they don't ... On my default Ubuntu, users in adm group have reac access to the authentication log file: m...@machine: ls -l /var/log/auth.log -rw-r- 1 syslog adm 46774 2009-09-30 01:10 /var/log/auth.log -- ×× maxigas // villanypásztor / kiberpunk / web shepherd // -= Important communication disclaimer: by replying to my emails you are disclaiming all your disclaimers. =- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosig...@inbox.com {FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/