lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1254261682.3384.44.camel@hkb-laptop>
Date: Tue, 29 Sep 2009 18:01:22 -0400
From: Kurth Bemis <kurth.bemis@...il.com>
To: "my.hndl" <my.hndl@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Modifying SSH to Capture Login Credentials
 from Attackers

Very nice.  Thank you for the clarification.

~k

On Tue, 2009-09-29 at 14:58 -0700, my.hndl wrote:
> The standard logs don't record attempted passwords.  On my post I
> explained how this could very easily lead to privilege escalation:
> 
> "For obvious reasons, openssh and others never log incorrect passwords
> (a mistype of your password would get winblowz logged when you meant
> winblows…such logging would make it trivial to escalate privilege)."
> 
> All standard users have read access to /var/log/auth, so if root
> mistyped their password, they could easily escalate by guessing what
> root meant.
> 
> 
> On Tue, Sep 29, 2009 at 12:58 PM, Kurth Bemis <kurth.bemis@...il.com>
> wrote:
>         Aren't all auth failures stored in /var/log/auth (or something
>         similar)?
>         and won't most log-watching and reporting packages report
>         failed login
>         attempts already?
>         
>         ~k
>         
>         On Tue, 2009-09-29 at 12:25 -0700, my.hndl wrote:
>         > If you've ever had your SSH server dictionary attacked and
>         wondered
>         > what usernames / passwords the attackers were trying...
>         >
>         > I've posted detailed instructions on modifying openssh on
>         Ubuntu 9.04
>         > in order to log username / password attempts made by bots.
>          This
>         > information can then be used to track down the tools /
>         dictionaries
>         > being used against you, and may even lead to discovery of
>         IRC command
>         > & control channels used by the botnet herders/masters (the
>         topic of my
>         > next post).
>         >
>         > Full username / password logs included for your enjoyment:
>         >
>         http://paulmakowski.wordpress.com/2009/09/28/hacking-sshd-for-a-pass_file/
>         >
>         > Intended for novices interested in honeypots.
>         
>         > _______________________________________________
>         > Full-Disclosure - We believe in it.
>         > Charter:
>         http://lists.grok.org.uk/full-disclosure-charter.html
>         > Hosted and sponsored by Secunia - http://secunia.com/
>         
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ