https://github.com/blendin/3snake

Tool for extracting information from newly spawned processes
https://github.com/blendin/3snake

Last synced: about 16 hours ago
JSON representation

Tool for extracting information from newly spawned processes

• Host: GitHub
• URL: https://github.com/blendin/3snake
• Owner: blendin
• License: other
• Created: 2018-02-07T21:03:15.000Z (over 6 years ago)
• Default Branch: master
• Last Pushed: 2022-02-14T17:42:10.000Z (over 2 years ago)
• Last Synced: 2024-05-21T15:26:18.996Z (6 months ago)
• Language: C
• Size: 43 KB
• Stars: 713
• Watchers: 24
• Forks: 108
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-hacking-lists - blendin/3snake - Tool for extracting information from newly spawned processes (C)

README

        
3snake - dump sshd and sudo credential related strings

---

Disclaimer

---

I Wrote This In College

About

---

Targeting rooted servers, reads memory from `sshd` and `sudo` system calls that handle password based authentication. Doesn't write any memory to the traced processes. Spawns a new process for every `sshd` and `sudo` command that is run.

Listens for the `proc` event using netlink sockets to get candidate processes to trace. When it receives an `sshd` or `sudo` process `ptrace` is attached and traces `read` and `write` system calls, extracting strings related to password based authentication.

Don't really like the solution of backdooring openssh or installing a kernel module on target servers so I made this.

![3snake](https://user-images.githubusercontent.com/20363764/35941544-74b2d22c-0c07-11e8-887a-474cb9b6daec.gif)

Build

---

```sh

make

./3snake -h

./3snake

```

Usage

---

Run in current terminal

`./3snake`

Daemonize and dump output to file

`./3snake -d -o "/tmp/output_file.txt"`

Configuration

---

Located in [config.h](https://github.com/blendin/3snake/blob/master/src/config.h)

- __ROOT_DIR__ - root directory when daemonized (relative file paths for -o option will end up here)

- __ENABLE_SSH__ - OpenSSH server password auth

- __ENABLE_SUDO__ - sudo password auth

- __ENABLE_SU__ (experimental) - su password auth

- __ENABLE_SSH_CLIENT__ (experimental) - ssh client password auth

- __ENABLE_PASSWD__ - `passwd` password changes

Limitations

---

Linux, ptrace enabled, /proc filesystem mounted

Todo

---

| Features                                          | X   |

|---------------------------------------------------|-----|

| OpenSSH server password auth                      | X   |

| sudo                                              | X   |

| su                                                | X   |

| regex strings from processes                      | ~   |

| ssh client                                        | X   |

* Make the process of adding tracers more fluid

* Yubikey: Ask for second yubikey from end users, OpenSSH

* Output mode that only shows usernames/passwords

Licenses

---

MIT and Wrote This When In College