--------------Boundary-00=_427UY5BPZ0ZIAEKKLVYH Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 An interesting look into forensic computing . . . (note: this document was originally in PDF format but because I had trouble opening it, the author graciously converted it to HTML) - ---------- Forwarded Message ---------- Subject: Re: Contribution Date: Fri, 05 Jul 2002 14:59:55 -0700 From: Imre Kertesz To: Jim I have included the document in HTML format. Jim wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > no luck again - sorry > > On Friday 05 July 2002 12:14, you wrote: > > Let me try this without the digital sig. That sometimes causes problems. > > If not, I will convert it to the standard HOWTO HTML format. > > > > -I > > > > Jim wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > I was unable to open your pdf file either directly or after saving it > > > locally. Is it possible to convert the file to ascii or html or some > > > other non-proprietary data format? > > > > > > On Friday 05 July 2002 10:42, you wrote: > > > > Folks, > > > > > > > > I don't know who to contact since I am not even new to the group so > > > > here I am. I am submitting a HOWTO that I did yesterday on > > > > integrating the ttysnoop session monitoring utility with OPENSSH. > > > > Very handy for forensic purposes or just good network vigilance. > > > > > > > > Also, I plan to attend the next PLUG group meeting and have a huge > > > > bag of topics that I could present - depends upon the crowd, though. > > > > A couple of them are Linux-based Everquest session monitoring > > > > utilities (for the Everquest enthusiasts - always causes jaws to > > > > drop) or for the more advanced crowd, building distributed cracking > > > > clusters with Linux for on-the-fly 40-bit SSL crackage (a little more > > > > dangerous and intended for "white hat" users). I have other > > > > interesting presentations - depends on the crowd. Please let me know > > > > if there is any interest. > > > > > > > > Thanks - I - -- - -· · ···- · ·-· ·--· · - ·- -··· ··- ·-· -· ·· -· --· -·· --- --· "If you sit quietly at the edge of a river, eventually you will see the bodies of your enemies float by" - -A maxim of patience, author unknown Imre Kertesz 480.363.1492 PGP ID: 0x1C1E5054 - ------------------------------------------------------- - -- Jim Freedom is worth protecting -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBPSchPisk3ywszI1FEQKDiACgqylY4nUgi3a7bTL3ZUpNd3JWr8AAoOhd 2wYDEU9MJHe8ezrVVj6fxY4r =XtuY -----END PGP SIGNATURE----- --------------Boundary-00=_427UY5BPZ0ZIAEKKLVYH Content-Type: text/html; charset="iso-8859-1"; name="HOWTO OPENSSH with TTYSNOOP.htm" Content-Transfer-Encoding: 8bit Content-Disposition: inline; filename="HOWTO OPENSSH with TTYSNOOP.htm" HOWTO SSH with TTYSNOOP

(v2.0) HOWTO OPENSSH with TTYSNOOP

 

Imre Kertesz <ikertesz@metasecuritygroup.com> July 2002

 

Introduction

 

As documented in the ttysnoop package, ttysnoop allows snoopage of a login tty's through another tty-device or pseudo-tty. The snoop-tty becomes a 'clone' of the original tty, redirecting both input and output from/to it.

 

Although the ttysnoop code contains authentication mechanisms to prevent unauthorized use, the code is not foolproof and may allow an unauthorized user to compromise the host system in a number of ways. In other words – Use At Your Own Risk. However, it is an extremely effective and capable utility for what it is designed to do.

 

Although designed and documented to function with a telnet-based tty session, this howto will describe how to configure ttysnoop to function with OPENSSH.  I used ttysnoop v0.12d, which didn’t appreciably change since the previous version. I used OPENSSH (version OpenSSH_3.0.2p1) because of the widespread use of OPENSSH over commercial products.

 

Typical scenario:

 

USER1 connects to mainbase server via OPENSSH (In my test bed, I am using SecureCRT 3.0 and ssh2).  ROOT notices the connection and lists the contents of the /var/spool/ttysnoop directory to get the name of the clone ttysnoop session.  ROOT runs the ttysnoop utility, using the name of the session found in /var/spool/ttysnoop as an argument.  ROOT is prompted for a password (authorization to use the utility) and if authenticated, a clone of USER1’s tty initiates.  All typed commands and standard output that appear in USER1’s tty also appears in ROOT’s cloned tty.  ROOT can also enter commands that will appear and function in USER1’s tty as if USER1 had entered them.

 

Components

 

ttysnoop

The client portion – the piece that is used to connect to ttysnoops

ttysnoops

The server portion – the piece that replaces /bin/login as the login program

/etc/snooptab

The configuration file – used to define which tty’s to listen to

/var/spool/ttysnoop

The directory that keeps track of currently running server instances

sshd

OPENSSH server, specially configured

 

Installation of ttysnoop

 

1.     Unpack the source tarball

 

2.     Check the authentication mechanism

 

In my experience with ttysnoop, I had difficulty authenticating with the ttysnoops server when prompted.  By default, ttysnoop will query for the root password when attempting to connect to create a clone tty.  According to the documentation, this can be changed by editing the config.h file and changing the #define SNOOPUSER       "root" line to something other than root.

 

Despite this change, I was still unable to authenticate.  This does not mean it won’t work for you – try it first. It may work. I bypassed the problem by editing the ttysnoops.c file and changing the authentication subroutine to prompt for an alternate means of identification.  It’s not the most secure alternative but it’s quick and it works. 

 

Snippet from ttysnoops.c:

 

#ifndef SHADOW_PWD

                        if (strcmp(buff, "lamer") == 0)

#else

                        if (strcmp(buff, "lamer") == 0)

#endif

 

 

3.     Compile the source code, as documented.

 

By default, make install will place the executables in /sbin. For the sake of obfuscation, I change the name and behavior of most of my services.  In this example, I changed /sbin/ttysnoops to /sbin/foo_login

 

 

4.     Create the /var/spool/ttysnoop directory.  This is not done automatically.

 

Don’t put anything in this directory.  When a user logs in through the ttysnoops server (discussed later), a file appears in the /var/spool/ttysnoop directory that corresponds to that user’s session (ttyp0, ttyp1, ttyp2, etc.).  The mere existence of a file appearing in the /var/spool/ttysnoop directory will confirm a successful ttysnoop login.  However, ttysnoops does not clean the file up upon termination of the corresponding session so the files will remain there (as “afterimages”) until used again or manually deleted.

 

5.     Copy the snooptab.dist file

 

From the source directory, copy the snooptab.dist file to /etc/snooptab.  ttysnoop uses this to generate the files that you will find in the /var/spool/ttysnoop directory.

 

 

Configuration of OPENSSH

 

There are a few ways to kick off the special OPENSSH server.  If ttysnoop will be a permanent installation, you might want to consider using inetd.conf or xinetd.d with TCP_WRAPPERS for improved access control.  Refer to the TCP_WRAPPERS HOWTO for more information on how to set that up.  In the following examples, we will configure a basic, manually started OPENSSH server.

 

If you were configuring telnet for use with ttysnoop, it would simply be a matter of editing the /etc/inetd.conf file to change telnet’s default login program:

 

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -L /sbin/ttysnoops

 

With OPENSSH, recompilation is necessary.

 

 

1.     Recompile ssh to change the default login program.

 

I am using OpenSSH_3.0.2p1.  In other versions, compile-time arguments allow changing the default login program.  With this version, because there is not a compile-time argument to specify an alternate login program, the LOGIN_PROGRAM environment variable needs to be set prior to compilation. Use the name of the ttysnoops server that we changed earlier, as the value.

 

# LOGIN_PROGRAM=/sbin/foo_login; export LOGIN_PROGRAM

 

When compiling the special OPENSSH server, I use an alternate directory because there is also an unblemished OPENSSH server on the machine.  In this example, I will use /opt/hakt-openssh as the PREFIX directory

 

# ./configure --prefix=/opt/haktopenssh --with-pam

 

 

2.     Configure OPENSSH

 

In the /opt/haktopenssh/etc/sshd_conf file, configure the UseLogin value: has the following configuration option:

 

UseLogin yes

 

 

3.     Start sshd

 

Manually or via automated process (inetd.conf, xinetd.d, init.d, etc.)

 

# /opt/haktopenssh/sbin/sshd –p15151

 

-p15151 starts sshd on a non-standard port

 

 

 

Using ttysnoop

 

Users logging in through OPENSSH will now, transparently invoke foo_login (AKA ttysnoops).  When they log in, a listing of /var/spool/ttysnoop will confirm successful operation.

 

# ls /var/spool/ttysnoop/

ttyp0=

 

Connect and authenticate

 

# ttysnoop ttyp0

Connected to ttyp0 snoop server...

Ctrl+'\' (ASCII 28) to suspend, Ctrl+'-' (ASCII 31) to terminate.

Snoop password:

Verified OK... Snoop started.

 

Have fun!

--------------Boundary-00=_427UY5BPZ0ZIAEKKLVYH--