[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers

To: "my.hndl" <my.hndl@xxxxxxxxx>
Subject: Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers
From: Kurth Bemis <kurth.bemis@xxxxxxxxx>
Date: Tue, 29 Sep 2009 18:01:22 -0400

Very nice.  Thank you for the clarification.

~k

On Tue, 2009-09-29 at 14:58 -0700, my.hndl wrote:
> The standard logs don't record attempted passwords.  On my post I
> explained how this could very easily lead to privilege escalation:
> 
> "For obvious reasons, openssh and others never log incorrect passwords
> (a mistype of your password would get winblowz logged when you meant
> winblows…such logging would make it trivial to escalate privilege)."
> 
> All standard users have read access to /var/log/auth, so if root
> mistyped their password, they could easily escalate by guessing what
> root meant.
> 
> 
> On Tue, Sep 29, 2009 at 12:58 PM, Kurth Bemis <kurth.bemis@xxxxxxxxx>
> wrote:
>         Aren't all auth failures stored in /var/log/auth (or something
>         similar)?
>         and won't most log-watching and reporting packages report
>         failed login
>         attempts already?
>         
>         ~k
>         
>         On Tue, 2009-09-29 at 12:25 -0700, my.hndl wrote:
>         > If you've ever had your SSH server dictionary attacked and
>         wondered
>         > what usernames / passwords the attackers were trying...
>         >
>         > I've posted detailed instructions on modifying openssh on
>         Ubuntu 9.04
>         > in order to log username / password attempts made by bots.
>          This
>         > information can then be used to track down the tools /
>         dictionaries
>         > being used against you, and may even lead to discovery of
>         IRC command
>         > & control channels used by the botnet herders/masters (the
>         topic of my
>         > next post).
>         >
>         > Full username / password logs included for your enjoyment:
>         >
>         
> http://paulmakowski.wordpress.com/2009/09/28/hacking-sshd-for-a-pass_file/
>         >
>         > Intended for novices interested in honeypots.
>         
>         > _______________________________________________
>         > Full-Disclosure - We believe in it.
>         > Charter:
>         http://lists.grok.org.uk/full-disclosure-charter.html
>         > Hosted and sponsored by Secunia - http://secunia.com/
>         
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers
  - From: my.hndl
- Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers
  - From: Kurth Bemis
- Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers
  - From: my.hndl

Prev by Date: Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers
Next by Date: Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers
Previous by thread: Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers
Next by thread: Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers
Index(es):
- Date
- Thread