A specialized tool developed as a workaround for environments where standard monitoring tools like strace are unavailable. This tool captures SSH protocol data using library preloading when conventional system call tracing isn't possible.
This tool was developed during a CTF challenge where:
- Standard tools like
stracewere not available - System had
ptrace_scope = 1(restricted ptrace capabilities) - Needed to analyze SSH authentication attempts in a MITM scenario
The tool uses LD_PRELOAD to hook into read/write operations, providing similar functionality to:
strace -f -p <PID> -e trace=write,read -o capturebut without requiring strace or ptrace access.
- Captures both read and write operations
- Works without requiring
strace/ptrace - Functions in restricted environments
- Real-time protocol monitoring
- Clean, readable output format
-
Linux environment
-
GCC compiler
-
Root access
-
Basic development tools:
apt-get install build-essential
-
Clone the repository:
git clone https://github.com/yourusername/ssh-monitor.git cd ssh-monitor -
Compile the shared library:
gcc -shared -fPIC monitor.c -o monitor.so -ldl
-
Prepare the log file:
touch /tmp/ssh_capture.log chmod 666 /tmp/ssh_capture.log
-
Run SSH daemon with the monitor:
LD_PRELOAD=/absolute/path/to/monitor.so /usr/sbin/sshd -D
-
View the captured data:
tail -f /tmp/ssh_capture.log
[Timestamp] read(6, "SSH protocol data")
[Timestamp] write(6, "Username")
[Timestamp] read(6, "Password")
[Timestamp] write(6, "Authentication response")This tool is particularly useful when:
- Standard monitoring tools (
strace,ltrace, etc.) are unavailable - System has restricted debugging capabilities
- Need to analyze SSH protocol behavior
- Working in CTF or testing environments
- Standard process tracing is blocked
The tool works by:
- Hooking
libcread/write functions - Capturing data before it reaches the SSH daemon
- Logging operations with timestamps
- Formatting output for readability
- Requires root access
- Must be preloaded with SSH daemon
- Only captures read/write operations
- Needs to be started with the SSH service
- For educational/testing purposes only
- Use in controlled environments
- Not for production systems
- Follow responsible disclosure practices
- Respect privacy and security guidelines
Common issues:
- "Permission denied": Run with sudo/root
- "No output": Check log file permissions
- "Library not loaded": Verify absolute path in
LD_PRELOAD
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Submit a pull request
This project is licensed under the MIT License.
This tool is for educational purposes only. Users are responsible for ensuring compliance with local laws and regulations regarding network monitoring and security testing.
Originally developed for a CTF challenge where standard monitoring tools were unavailable. Special thanks to the security community for insights into library preloading techniques.