Targeting rooted servers, reads memory from sshd and sudo system calls that handle password based authentication. Doesn't write any memory to the traced processes. Spawns a new process for every sshd and sudo command that is run.
Listens for the proc event using netlink sockets to get candidate processes to trace. When it receives an sshd or sudo process ptrace is attached and traces read and write system calls, extracting strings related to password based authentication.
Don't really like the solution of backdooring openssh or installing a kernel module on target servers so I made this.
make
./3snake -h
./3snakeRun in current terminal
./3snake
Run in current terminal and dump output to file
./3snake -o "output_file.txt"
Daemonize and dump output to file
./3snake -d -o "output_file.txt"
Linux, ptrace enabled, /proc filesystem mounted
| Features | X |
|---|---|
| OpenSSH server password auth | X |
| sudo | X |
| su | ~ |
| regex strings from processes | ~ |
| ssh client | ~ |
- Make the process of adding tracers more fluid
- Yubikey: Ask for second yubikey from end users, OpenSSH
- Output mode that only shows usernames/passwords
MIT
@blendin - started the project, wrote almost everything
@rsp3ar - added su, ssh-client tracers
@jkbenaim - minor changes to reduce binary size and remove strings from non-debug builds