From: Lachniet, Mark (mlachniet@sequoianet.com)
Date: Tue Jul 12 2005 - 12:59:58 EDT
Apparently Tom's original message never made it to the list, but I think
this is well worth the bandwidth to share. Tom wrote a quick Perl
script to parse the output from strace, so you could use the method I
described a little (lot) more conveniently. I haven't tested it but it
looks pretty straight forward. Sorry bout the line breaks but I didn't
want to send an attachment.
Mark Lachniet
---------snip-----------------
#!/usr/bin/perl -w
#
# Monitoring a user's shellcommands by using strace and displaying and
cleaning up the read() syscalls
# Based on the tip posted to secfocus by Mark Lachniet, written by Tom
Van de Wiele.
#
# To be used on a logfile or in real-time (as fast as /usr/bin/script
logs to file that is) like this:
#
# # script /tmp/what_is_user_foo_doing.log
# Script started, file is /tmp/what_is_user_foo_doing.log
# # strace -p <PID of shell of user>
#
# Using a different terminal at the same time:
# # perl strace_clean.pl /tmp/what_is_user_doing.log
#
#
use strict; # hi Kris :)
my $char;
open (F, "tail -f $ARGV[0] |");
while (<F>) {
next if !/^read/;
next if /^$/;
if (/^read\(0,\s\"(.*)\".*/) {
$char = $1;
if ($char =~ /\\r/) {
print "\n";
}
elsif ($char =~ /\\177/) {
print "\b";
}
elsif ($char =~ /\\t/) {
print "<TAB>";
}
else {
print $char;
}
}
}
# EOF
> -----Original Message-----
> From: Tom Van de Wiele [mailto:tom.vandewiele@gmail.com]
> Sent: Friday, July 08, 2005 10:18 PM
> To: Lachniet, Mark
> Cc: pen-test@securityfocus.com
> Subject: Re: Keystroke logging with strace (no setup required)
>
> Hi
>
> Included is a quick hack to filter the strace output and
> reassemble the commands with limited backspace and tab
> handling in real-time (not as you would think). Its rough
> but it does the job.
>
> Cheers
>
> Tom
>
> --
> Tom Van de Wiele, CISSP
> Security Engineer
>
> UNISKILL nv
> http://www.uniskill.com
> tom.van.de.wiele {A} uniskill.com
>
>
>
> On 7/7/05, Lachniet, Mark <mlachniet@sequoianet.com> wrote:
> > It is far from convenient, but you can use the strace
> command to monitor
> > all of the keystrokes of any shell on a box where you have root.
> >
> > For example 'strace /bin/sh' then you will see the program
> behavior,
> > including text like the following:
> >
> > read(0, "a", 1) = 1
> > write(2, "a", 1a) = 1
> > rt_sigprocmask(SIG_BLOCK, NULL, [RTMIN], 8) = 0
> > read(0, "b", 1) = 1
> > write(2, "b", 1b) = 1
> > rt_sigprocmask(SIG_BLOCK, NULL, [RTMIN], 8) = 0
> > read(0, "c", 1) = 1
> > write(2, "c", 1c) = 1
> > rt_sigprocmask(SIG_BLOCK, NULL, [RTMIN], 8) = 0
> >
> > You could then run a grep command on the output to filter only those
> > lines that contain "read", use some sed and column
> breaking, and write a
> > script to output the text as a log.
> >
> > This is a handy way of tracking what hackers are doing on a
> box without
> > any previous setup of a logger. You can also use strace to trace an
> > existing process that you didn't spawn yourself using the -p <pid>
> > option
> >
> > Mark Lachniet
> >
> > > -----Original Message-----
> > > From: Chuck [mailto:chuck.lists@gmail.com]
> > > Sent: Wednesday, July 06, 2005 5:11 PM
> > > To: pen-test@securityfocus.com
> > > Subject: Re: Keystroke logging
> > >
> > > The approach that I use is to set my bash prompt to include
> > > the time and date and then run everything in a screen
> > > session. Screen has the ability to log everything typed on
> > > command lines and all output using it's -L command line
> > > option. I really like having the output along with the
> > > commands typed, the log is handy to refer to when writing up
> > > findings. You also get the added ability of being able to
> > > detach from a long running command without killing it.
> > >
> > > Screen won't record what happens within a vi session (or
> > > other interactive console program), but if I edit a file, I
> > > just cat it afterwards so that the edited version is included
> > > in the log. I do the same thing with any files full of IPs
> > > to scan, shell scripts, and the like.
> > >
> > > Chuck
> > >
> > > On 7/1/05, Aaron J. Bedra <abedra@westervillelibrary.org> wrote:
> > > > Something to think of,
> > > >
> > > > Yes, most shells have keylogging built in, but most
> > > pen-test reports
> > > > require you to not only provide keylogging, but also timestamps
> > > > (depending on where you are working, sometimes in UTC
> > > format), or they
> > > > are not accepted as real logs.
> > > >
> > > > Aaron J. Bedra
> > > >
> > > >
> > > > On Fri, 2005-07-01 at 11:41 +0200, Guillaume Vissian wrote:
> > > > > Be carefull the history logs only show the common
> > > commands input on
> > > > > the shell, this didn't show everything wrappen on it. Only
> > > > > keyloggers can do that. If history remember all it would
> > > be a major
> > > > > security failure... For example with shells history logs
> > > you can't
> > > > > see the vim editing sequences, and for sure the
> password entries.
> > > > > And the real, and only for me, utility of a keylogger is
> > > to log thoses pass entries.
> > > > > A good keylogger have to, in my mind, be directly
> > > implanted in the
> > > > > kernel, the shells let to much ways to escape from the logs...
> > > > > A way to search :
> > > > > http://linux.ittoolbox.com/documents/document.asp?i=2284
> > > > >
> > > > > Google is your friend
> > > > > G.
> > > > >
> > > > > 2005/7/1, Joshua Hamor <josh@cnemedia.com>:
> > > > > > Agreed. Most modern shells have history logs. You
> > > should be able
> > > > > > to save this text file for your tests.
> > > > > >
> > > > > > -J also
> > > > > >
> > > > > > Jeff Miller wrote:
> > > > > > > I've used bash shell logging before for similar
> situations.
> > > > > > > just grab the source and compile with the
> syslogging option.
> > > > > > >
> > > > > > >
> > > > > > > On Jun 30, 2005, at 2:36 PM, JB wrote:
> > > > > > >
> > > > > > >> I'm wondering if anyone has either a kernel
> level keystroke
> > > > > > >> logger for the Linux 2.6, or a userspace keystroke
> > > logger for
> > > > > > >> Linux. As part of our penetration testing, we are
> > > required to
> > > > > > >> give the client a log of all actions performed - so
> > > this would
> > > > > > >> be a good way of logging all linux commands. Also -
> > > if you know
> > > > > > >> of the same sort of tool for windows - that
> would also be
> > > > > > >> appreciated.
> > > > > > >>
> > > > > > >> -J
> > > > > > >>
> > > > > > >>
> > > > > > >
> > > > > >
> > > >
> > >
> >
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:32 EDT