When running a shell server, at some point you may find the need to monitor or interact with another user's terminal. A number of kernel-based solutions exist such as Sebek from The Honeynet Project. I wanted something simpler and more elegant and was suggested by a contact to look into ttysnoop. ttysnoop is great- it allows you to selectively "attach" to a target user's terminal, view/interact as you please and detach when you are done. There is no need for a separate data store, any kernel modules or recompiling of any sort. Here is how I set it up to work with SSH on my Gentoo system:
509: /*if (InitSound())
510: {
511: DoSound(466, SLEN); // A#4
512: DoSound(622, SLEN); // D#5
513: DoSound(784, SLEN); // G5
514: DoSound(932, SLEN*2); // A#5
515: DoSound(784, SLEN); // G5
516: DoSound(932, SLEN*3); // A#5
517: }*/
...
661: if ((n = read(ptyfd, buff, BUFF_SIZE)) < 1)
662: {
663: //errorf ("bye bye\n");
664: exit (0);
665: }
I then compiled and installed the binaries (ttysnoop and ttysnoops) to /sbin. Next I created the /etc/snooptab file with the following single entry:
* socket login /bin/login.orig
I then moved /bin/login to /bin/login.orig and created a symbolic link from /bin/login to /sbin/ttysnoops:
# mv /bin/login /bin/login.orig
# ln -s /sbin/ttysnoops /bin/login
Next, I modified the command line arguments to agetty in /etc/inittab to reference the original login binary:
agetty -l /bin/login.orig
I then enabled the UseLogin option in sshd_config and restarted both sshd and init. I also created the ttysnoop spool directory as that is not done automatically:
# echo "UseLogin yes" >> /etc/ssh/sshd_config
# /etc/init.d/sshd restart
# init q
# mkdir /var/spool/ttysnoop/
# chmod 700 /var/spool/ttysnoop/
At this point ttysnoop is up and running. I did come across one quirk with the control keys. While Ctrl + '\' was working for suspends, Ctrl + '-' was not detaching from the snoop device. I was about to change the TERM_CHAR define when I realized that Ctrl + '/' sends the appropriate key-code for me, so you may want to try that key combination if Ctrl + '-' is not working for you.
The Python WMI interface is very cool as it lets you write small yet functional snippets like the following print-job sniffer:
import wmi
w = wmi.WMI()
watcher = w.watch_for(
notification_type = "Creation",
wmi_class = "Win32_PrintJob",
delay_secs = 1)
while 1:
job = watcher()
owner = str(job.Owner)
print "user: %s" % (job.Owner)
print "printer: %s" % (job.Name)
print "title: %s" % (job.Document)
print "pages: %d " % (job.TotalPages)
print "-" * 80
The above snippet will watch the network for all print jobs and print the owner, document title, printer name and page count. More information about WMI (Windows Management Instrumentation) can be found on MSDN.
I am releasing the source for IDA Sync under the GPL license. IDA Sync is implemented as an IDA Pro plugin and stand alone server for the purpose of allowing multiple analysts to synchronize their reverse engineering efforts. IDA Sync is especially useful when speed reversing malware. This project has some quirks that need to be worked out still and is being released pre-production quality in hopes of getting some support from the open source community.
|