Full Disclosure mailing list archives
Re: Modifying SSH to Capture Login Credentials from Attackers
From: Kurth Bemis <kurth.bemis () gmail com>
Date: Tue, 29 Sep 2009 18:01:22 -0400
Very nice. Thank you for the clarification. ~k On Tue, 2009-09-29 at 14:58 -0700, my.hndl wrote:
The standard logs don't record attempted passwords. On my post I explained how this could very easily lead to privilege escalation: "For obvious reasons, openssh and others never log incorrect passwords (a mistype of your password would get winblowz logged when you meant winblows…such logging would make it trivial to escalate privilege)." All standard users have read access to /var/log/auth, so if root mistyped their password, they could easily escalate by guessing what root meant. On Tue, Sep 29, 2009 at 12:58 PM, Kurth Bemis <kurth.bemis () gmail com> wrote: Aren't all auth failures stored in /var/log/auth (or something similar)? and won't most log-watching and reporting packages report failed login attempts already? ~k On Tue, 2009-09-29 at 12:25 -0700, my.hndl wrote: > If you've ever had your SSH server dictionary attacked and wondered > what usernames / passwords the attackers were trying... > > I've posted detailed instructions on modifying openssh on Ubuntu 9.04 > in order to log username / password attempts made by bots. This > information can then be used to track down the tools / dictionaries > being used against you, and may even lead to discovery of IRC command > & control channels used by the botnet herders/masters (the topic of my > next post). > > Full username / password logs included for your enjoyment: > http://paulmakowski.wordpress.com/2009/09/28/hacking-sshd-for-a-pass_file/ > > Intended for novices interested in honeypots. > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Modifying SSH to Capture Login Credentials from Attackers my.hndl (Sep 29)
- Re: Modifying SSH to Capture Login Credentials from Attackers Kurth Bemis (Sep 29)
- Re: Modifying SSH to Capture Login Credentials from Attackers Kos (Sep 29)
- Re: Modifying SSH to Capture Login Credentials from Attackers my.hndl (Sep 29)
- Re: Modifying SSH to Capture Login Credentials from Attackers Kurth Bemis (Sep 29)
- Re: Modifying SSH to Capture Login Credentials from Attackers bodik () civ zcu cz (Sep 29)
- Re: Modifying SSH to Capture Login Credentials from Attackers maxigas (Sep 29)
- Re: Modifying SSH to Capture Login Credentials from Attackers Gichuki John Chuksjonia (Sep 29)
- Re: Modifying SSH to Capture Login Credentials from Attackers jfch (Sep 29)
- Re: Modifying SSH to Capture Login Credentials from Attackers dramacrat (Sep 29)
- Re: Modifying SSH to Capture Login Credentials from Attackers Kurth Bemis (Sep 29)