JP Vossen on 1 Sep 2007 19:30:50 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] shell script help...


JP Vossen wrote:
To the best of my knowledge there is *no way* to do this without using a modified kernel (or maybe kernel module) that captures keystrokes. This is discussed in _Know Your Enemy_ on pages 38-40 and is probably covered in various places at http://honeynet.org/.

I poked into this a bit more today. The first edition copy of the book I have (copyright 2002) has a CD-ROM with a patch and a pre-compiled (old) bash that looks like it logs keystrokes to a syslog server. The patch on CD says:
To apply this to a _clean_ bash-2.03 tree you do
cd /usr/src/redhat/BUILD/bash-2.03
patch -p0 < filename
by: Antonomasia <ant@notatla.demon.co.uk>


See these for various versions of the code:
http://web.archive.org/web/*/http://project.honeynet.org/papers/honeynet/bash.patch
http://www.google.com/search?q=%220+means+no+sending+history+to+syslog%22

This avoids the possible DoS of using 'script' or 'screen' since you only get input. But then you still have the issue of using not-bash for evasion. Even if you can remove other shells (which I doubt), you can't get rid of Perl (or Python), so an attacker can fire up an editor and write trivial P* code to evade logging.

Makes me think of the character in Stephenson's Cryptonomicon who needed to read a file without it being intercepted via Van Eck phreaking (AKA Tempest), so he programs his caps-lock key to blink the file to him in Morse code. I supposed a sufficiently determined attacked might be able to place code that would allow him to issue commands via Morse code using Shift, ALT, CTRL or some other key. :-)

http://en.wikipedia.org/wiki/Van_Eck_phreaking
http://en.wikipedia.org/wiki/TEMPEST
http://en.wikipedia.org/wiki/Morse_code

Later,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|        jp{at}jpsdomain{dot}org
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
Microsoft has single-handedly nullified Moore's Law.
Innate design flaws of Windows make a personal firewall, anti-virus
and anti-malware software mandatory. The resulting software arms race
has effectively flattened Moore's Law on hardware running Windows.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug