Targeting rooted servers, reads memory from sshd
and sudo
system calls that handle password based authentication. Doesn't write any memory to the traced processes. Spawns a new process for every sshd
and sudo
command that is run.
Listens for the proc
event using netlink sockets to get candidate processes to trace. When it receives an sshd
or sudo
process ptrace
is attached and traces read
and write
system calls, extracting strings related to password based authentication.
Don't really like the solution of backdooring openssh or installing a kernel module on target servers so I made this.
make
./3snake -h
./3snake
Run in current terminal
./3snake
Daemonize and dump output to file
./3snake -d -o "/tmp/output_file.txt"
Located in config.h
- ROOT_DIR - root directory when daemonized (relative file paths for -o option will end up here)
- ENABLE_SSH - OpenSSH server password auth
- ENABLE_SUDO - sudo password auth
- ENABLE_SU (experimental) - su password auth
- ENABLE_SSH_CLIENT (experimental) - ssh client password auth
Linux, ptrace enabled, /proc filesystem mounted
Features | X |
---|---|
OpenSSH server password auth | X |
sudo | X |
su | X |
regex strings from processes | ~ |
ssh client | X |
- Make the process of adding tracers more fluid
- Yubikey: Ask for second yubikey from end users, OpenSSH
- Output mode that only shows usernames/passwords
MIT