| JP Vossen on 1 Sep 2007 19:30:50 -0000 |
|
JP Vossen wrote: To the best of my knowledge there is *no way* to do this without using a modified kernel (or maybe kernel module) that captures keystrokes. This is discussed in _Know Your Enemy_ on pages 38-40 and is probably covered in various places at http://honeynet.org/. I poked into this a bit more today. The first edition copy of the book I have (copyright 2002) has a CD-ROM with a patch and a pre-compiled (old) bash that looks like it logs keystrokes to a syslog server. The patch on CD says: To apply this to a _clean_ bash-2.03 tree you do cd /usr/src/redhat/BUILD/bash-2.03 patch -p0 < filename by: Antonomasia <ant@notatla.demon.co.uk> See these for various versions of the code: http://web.archive.org/web/*/http://project.honeynet.org/papers/honeynet/bash.patch http://www.google.com/search?q=%220+means+no+sending+history+to+syslog%22 This avoids the possible DoS of using 'script' or 'screen' since you only get input. But then you still have the issue of using not-bash for evasion. Even if you can remove other shells (which I doubt), you can't get rid of Perl (or Python), so an attacker can fire up an editor and write trivial P* code to evade logging. Makes me think of the character in Stephenson's Cryptonomicon who needed to read a file without it being intercepted via Van Eck phreaking (AKA Tempest), so he programs his caps-lock key to blink the file to him in Morse code. I supposed a sufficiently determined attacked might be able to place code that would allow him to issue commands via Morse code using Shift, ALT, CTRL or some other key. :-) http://en.wikipedia.org/wiki/Van_Eck_phreaking http://en.wikipedia.org/wiki/TEMPEST http://en.wikipedia.org/wiki/Morse_code Later,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org
My Account, My Opinions |=========| http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
Microsoft has single-handedly nullified Moore's Law.
Innate design flaws of Windows make a personal firewall, anti-virus
and anti-malware software mandatory. The resulting software arms race
has effectively flattened Moore's Law on hardware running Windows.
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|