Skip to content
Tool for extracting information from newly spawned processes
C Makefile C++
Branch: master
Clone or download
Latest commit 326eec0 Jan 24, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
src Add support for ssh clients Jan 7, 2019
.gitignore gitignore build files Feb 10, 2018
LICENSE first commit Feb 7, 2018
Makefile Add support for ssh clients Jan 7, 2019
README.md

README.md

3snake - dump sshd and sudo credential related strings

About

Targeting rooted servers, reads memory from sshd and sudo system calls that handle password based authentication. Doesn't write any memory to the traced processes. Spawns a new process for every sshd and sudo command that is run.

Listens for the proc event using netlink sockets to get candidate processes to trace. When it receives an sshd or sudo process ptrace is attached and traces read and write system calls, extracting strings related to password based authentication.

Don't really like the solution of backdooring openssh or installing a kernel module on target servers so I made this.

3snake

Build

make
./3snake -h
./3snake

Usage

Run in current terminal ./3snake

Daemonize and dump output to file ./3snake -d -o "/tmp/output_file.txt"

Configuration

Located in config.h

  • ROOT_DIR - root directory when daemonized (relative file paths for -o option will end up here)
  • ENABLE_SSH - OpenSSH server password auth
  • ENABLE_SUDO - sudo password auth
  • ENABLE_SU (experimental) - su password auth
  • ENABLE_SSH_CLIENT (experimental) - ssh client password auth

Limitations

Linux, ptrace enabled, /proc filesystem mounted

Todo

Features X
OpenSSH server password auth X
sudo X
su X
regex strings from processes ~
ssh client X
  • Make the process of adding tracers more fluid
  • Yubikey: Ask for second yubikey from end users, OpenSSH
  • Output mode that only shows usernames/passwords

License

MIT

You can’t perform that action at this time.