Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/blendin/3snake
Tool for extracting information from newly spawned processes
https://github.com/blendin/3snake
Last synced: about 1 month ago
JSON representation
Tool for extracting information from newly spawned processes
- Host: GitHub
- URL: https://github.com/blendin/3snake
- Owner: blendin
- License: other
- Created: 2018-02-07T21:03:15.000Z (almost 7 years ago)
- Default Branch: master
- Last Pushed: 2022-02-14T17:42:10.000Z (almost 3 years ago)
- Last Synced: 2024-05-21T15:26:18.996Z (7 months ago)
- Language: C
- Size: 43 KB
- Stars: 713
- Watchers: 24
- Forks: 108
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - blendin/3snake - Tool for extracting information from newly spawned processes (C)
README
3snake - dump sshd and sudo credential related strings
---Disclaimer
---
I Wrote This In CollegeAbout
---
Targeting rooted servers, reads memory from `sshd` and `sudo` system calls that handle password based authentication. Doesn't write any memory to the traced processes. Spawns a new process for every `sshd` and `sudo` command that is run.Listens for the `proc` event using netlink sockets to get candidate processes to trace. When it receives an `sshd` or `sudo` process `ptrace` is attached and traces `read` and `write` system calls, extracting strings related to password based authentication.
Don't really like the solution of backdooring openssh or installing a kernel module on target servers so I made this.
![3snake](https://user-images.githubusercontent.com/20363764/35941544-74b2d22c-0c07-11e8-887a-474cb9b6daec.gif)
Build
---
```sh
make
./3snake -h
./3snake
```Usage
---Run in current terminal
`./3snake`Daemonize and dump output to file
`./3snake -d -o "/tmp/output_file.txt"`Configuration
---
Located in [config.h](https://github.com/blendin/3snake/blob/master/src/config.h)
- __ROOT_DIR__ - root directory when daemonized (relative file paths for -o option will end up here)
- __ENABLE_SSH__ - OpenSSH server password auth
- __ENABLE_SUDO__ - sudo password auth
- __ENABLE_SU__ (experimental) - su password auth
- __ENABLE_SSH_CLIENT__ (experimental) - ssh client password auth
- __ENABLE_PASSWD__ - `passwd` password changesLimitations
---
Linux, ptrace enabled, /proc filesystem mountedTodo
---| Features | X |
|---------------------------------------------------|-----|
| OpenSSH server password auth | X |
| sudo | X |
| su | X |
| regex strings from processes | ~ |
| ssh client | X |* Make the process of adding tracers more fluid
* Yubikey: Ask for second yubikey from end users, OpenSSH
* Output mode that only shows usernames/passwordsLicenses
---
MIT and Wrote This When In College