On Mon, May 13, 2002 at 05:34:37PM +0200, Gil Klein wrote:
> I read your post about ttysnoop/telnet/ssh.
>
> I am trying to run OpenSSH 3.01 with ttysnoop 0.12d.
>
> I recompiled the sshd --with-login=/sbin/ttysnoops
> and updated /etc/ssh/sshd_config with UseLogin
> but I still cant snoop the ssh session.
>
> Can you give me a tip how to solve it ?
>
> Thanks
> Gil

It depends. :)

Can you verify that ttysnoops is getting started up correctly? When sshd is started
and the authentication process begins, you should see ttysnoops running. ttysnoops
may not work by default. I haven't touched this particular setup in a while, so
details are still fuzzy, but doesn't ttysnoop(s) require some sort of password?

In what context are you trying to capture ssh sessions? If you are not concerned
about attacks on sshd itself, I have a solution for you. This doesn't involve using
ttysnoop(s), but it gets you a much more usable and stable configuration.

'iob' (by the teso group) was mentioned as a possibility. I've recently deployed something
that utilizes iob to capture all I/O from a ssh session. The setup is approximately the
following:

1.) Remote user connects to a gateway box's sshd using a hardcoded username ('guest').
2.) Guest has a null password
2.) Guest's shell is a series of commands to:
        a.) launch iob
        b.) ssh to the internal box (presumably a honeypot) using either a predefined
        username or one read from the remote machine (expect anyone?)

How this is actually implemented varies from OS to OS, but the idea and concerns are the
same. You need to ensure that guest's shell only allows them to execute ssh-via-iob and
nothing else. No scp/sftp/port-forwarding, etc.

What you get is two files for each connection -- input and output. The output file contains
an _exact_ copy of what the user (presumably an attacker) saw on his/her screen. This
includes all terminal codes (color!), cursor movements. Everything. `tail -f`'ing the file
gives you a real-time view of what the attackers screen looks like. I got the chills the first time
I saw it actually work.

I hope to publish some documents regarding this setup soon. Probably by next weekend.

Have fun,

-jon
(who is sorry for the line-wraps in this mail. mutt just stopped cooperating)

---------------------------------------------------------------------
To unsubscribe, e-mail: honeypots-unsubscribesecurityfocus.com
For additional commands, e-mail: honeypots-helpsecurityfocus.com
---------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service
which automatically alerts you to the latest security vulnerabilities.
Please, see: https://alerts.securityfocus.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]