8 ways to spy your consoles
TRANSCRIPT
8 ways to spy your consoles
Ivan Agarkov@annmuor
2
$ id- Doing security since 2003- Production Security Lead @ Wargaming- SELinux fan & YAPH- Know something about spying consoles
3
How I got there
- Who break production?- ssh logs + history correlation = fail- tried some other ways = this talk
4
Online examples
https://github.com/annmuor/zn2021_8ways
5
Nono way
6
bash_history
How it works
- records commands to history file on exit- you may search through your history at any time- no security features included
7
bash_historyHow to avoid
- kill -9 $$ instead of exit/Ctrl+D- prepend command with a whitespace- ln -sf /dev/null ~/.*_history- invoke mc/screen/other shell
8
Elementary
9
bash debug traps
10
bash debug traps
How it works
- bash trap with DEBUG mode calls function on every stuff you do
- $BASH_COMMAND variable contains last command you did- You may invoke logger inside the trap function to log
$BASH_COMMAND somewhere
11
bash debug traps
PoC
12
bash debug traps
Pro
- Easy to setup (add a line to /etc/profile)- Hard to detect for regular shell user- Easy to collect additional data- You may use it as a pwn tool
13
bash debug traps
Contra
- Logs commands only, no input/output data is presented- Easy to avoid- Bash only
14
bash debug traps
How to avoid
- run trap with no args to clear all traps :)- invoke new shell ( screen/mc/zsh/csh/etc ) to clear all traps
15
script
16
script
How it works
- A tool creates new pty and runs new shell- All input & output are recorded with timestamps to files- You may reconstruct the whole session if you want
17
script
Alternatives
- ttyrec ( https://github.com/ovh/ovh-ttyrec )- shelr ( https://github.com/antono/shelr ) - make your own in a matter of hours!
18
script
PoC
$ script -B session.data -T session.time[ … run your shell session here … ]$ exit$ scriptreplay -B session.data -T session.time
19
script
Pro
- Full stdin & stdout recording- Easy to setup via profile file- Works with any shells and tools, including *curses ones- Bult-in replay tools
20
script
Contra
- Very easy to detect- Easy to avoid- Log files format is difficult to stream- Session replay takes some time
21
script
How to avoid
- exit via pkill -9 script- lsof -p $(pidof script) and remove log files
22
screen
23
screen
How it works
- screen works great as a login shell- screen provides stdout recording functions- you can steam logs directly to log server
24
screen
PoC
- $ screen -L -Logfile session.log- ( do your stuff here )- $ exit- $ cat session.log
25
screen
Pro
- Easy to setup- Suid bit in most modern distros (=user can’t remove logs on his
own )- Easy to stream logs- Need some skill to avoid
26
screen
Contra
- Easy to detect- Breaks some apps and may make work harder- No input recording - no hidden input will be captured
27
screen
How to avoid
- stty -echo- rsync/scp/sftp to upload malicious .screenrc with eval/exec
28
sudo
29
sudo
How it works
- sudo have a built-in logging system with both in & out and network logging support
- you may invoke sudo as login shell via simple script- sudo runs as root so no way to prevent logging for a regular
user
30
sudo
PoC
# cat /etc/sudoers.d/test1 test1 ALL=(test1) LOG_INPUT:LOG_OUTPUT:NOPASSWD: ALL# cat /etc/passwd|grep test1test1:x:1001:1001::/home/test1:/usr/local/bin/sudo-shell# cat /usr/local/bin/sudo-shell #!/bin/shsudo -u $USER /bin/bash "$@"#
31
sudo
Pro
- No way to avoid for non-root user- Network logging makes it very reliable
32
sudo
Contra
- Not so easy to configure it properly- Easy to detect by $SUDO_* vars- Requires special tools for log review
33
sudo
How to avoid
- root exploits only ( if configured properly )
34
Intermediate
35
linux audit
36
linux audit
How it works
- linux kernel traces every syscall you want to trace and sends data to auditd
- you may collect data from audit.log or by audisp multiplexer- pam_tty_audit does the same for user tty input for interactive
sessions
37
linux audit
PoC
# auditctl -a always,exit -F arch=b64 -S execve -F euid=0# cat /var/log/audit/audit.log | grep -P ‘(SYSCALL|EXECVE)’...
38
linux audit
PoC # 2
# echo “session required pam_tty_audit.so enable=*” >> /etc/pam.d/system-auth<login># aureport --tty...
39
linux audit
Pro
- kernel-level tracing - no way to cheat- no way to detect for non-root user- collect everything you want - files, networking, special
commands
40
linux audit
Contra
- Software development is a must- Inefficient rules may cause high cpu usage
41
linux audit
How to avoid
- root exploits only
42
SELinux
43
SELinux
How it works
- SELinux has auditallow rules that adds everything it allows to logfile
- You may use it to audit everything that user does by using your custom policy
- Once it’s allowed - it’s logged. Once it’s disabled - it’s denied.
44
SELinux
PoC
- Look for auditallow * github examples- Or attend my workshop later today
45
SELinux
Pro
- Built-in audit subsystem that logs everything in a cost of nothing- Kernel level tracing - no way to cheat- Collect literally everything- Even root can hide nothing ( if selinux is in a good shape )
46
SELinux
Contra
- SELinux is a must ( = you need a good SELinux operator )- Software development is a must- No examples on the Internet - you should invent your own way
47
SELinux
How to avoid
- Custom-made kernel exploits only
48
Advanced
49
LD_PRELOAD
How it works
- Library injects to every dynamic-linked binary- You may replace any library function with your own to record
some stuff before passing arguments to the real function- You may also hide your presence (in userspace) :)
50
LD_PRELOAD
PoC
google LD_PRELOAD on the Internet( small example on my github exists )
51
LD_PRELOAD
Pro
- Grab what you need / ignore what you don’t need- Easy rootkit for pwned systems/no root needed for setup- Hard to detect for regular user- You may add it to /etc/ld.so.preload to make it global
52
LD_PRELOAD
Contra
- Software development is a must- Not working with suid binaries- Not working with static binaries- May break something ( = you shall be very careful )
53
LD_PRELOAD
How to avoid
- unset LD_PRELOAD variable- run binaries through /lib/ld-linux.so.2- upload statically linked tools
54
LKML/eBPF
How it works
- You may grab data from any syscall/kernel function to record some stuff
- You may also hide your presence :)
55
LKML/eBPF
PoC
- ( google samples on the Internet )- https://github.com/iovisor/bpftrace- more of that
56
LKML/eBPF
Pro
- You may track any user activity- No way to detect your code- Very reliable and secure solution
57
LKML/eBPF
Contra
- Software development is a must- Deep kernel knowledge is a must- You can brick the whole system in a moment- You need to alter code for different kernels
58
LKML/eBPF
How to avoid
- No way if done properly
59
Summary
60
Summarydebug script screen sudo audit selinux ld lkml
setup very easy easy easy moderate hard moderate hard hard
detect easy very easy very easy easy hard hard moderate impossible
replay moderate very easy easy very easy hard hard moderate moderate
avoid very easy easy hard impossible impossible impossible hard impossible
61
What we’ve learned today
Spying consoles is easy
- You can setup this within an hour- Most users will never spot they’re being watched- Go and grab their logs!
62
What we’ve learned today
Avoiding being watched is hard
- Some methods are undetectable- Some methods are unavoidable until you’re root- Some methods are unavoidable even if you’re root
63
What we’ve learned today
Watch your steps
- Nothing you’re typing on is secure- Your shell may spy on you right now :)
QUESTIONS?
THANKS FOR ATTENTION