Questions about modules

[AlessandroZ]

Hi,

I have some questions regarding few modules. If you added it, it may be for a good reason that I cannot see right now. I don't want to modify/delete it, just to understand their goal and when do you use it (for my curiosity).

• usniper: do you realize reverse engineering tracing some functions calls on a remote host ? Or in which case, will you use it ? Moreover, I see that you retrieve the result from trace_pipe file whereas in the doc I see than it's located on /sys/kernel/debug/tracing/trace.

• exposed commands will return all functions calleable from the client. Is it for debug purpose or do they are useful for something ?

• display: I don't know exactly how it works. If I have well understood, using the magic cookie is possible to connect to an X11 server (I didn't kwow the existence of that cookie) but I didn't find an easy example to understand how it works, if you could help me on that, it will be nice. On my desk, display module works for root user, but failed for unprivilege user. It retrieves the path of the file but cannot open it ([Errno 13] Permission denied: '/var/run/lightdm/root/:0'). However, it could be find on the home of the current user without any specific privilege needed and the content is the same (diff /var/run/lightdm/root/:0 /home/test/.Xauthority).

• alive: I wanted to implement a module as cobalt strike does with its sleep command, it sleeps the client for a wanted period of time. It will reduce the network trafic during that time. When the sleep is over, the client connects back to us. At first, I thought the alive module implemented this feature when I saw 'ping' and 'timeout', but no, I was wrong. I don't understand very well how it works.

Thanks a lot to help me better understanding some unclear points.

[alxchk]

usniper

On recent kernel it allows to globally "sniff" values in explicit points in program or library. Example - you can sniff ssh password during copying from one register to another. It will be zeroed immediately after that, so memory dump at arbitrary time will not work. There is no script-kiddy friendly way of using this.

exposed

For debug. To check what is leaked to client

display

Tries to find Xauthority file and available X displays. This can be used to attach to X session from instance which was started from some other context.

alive

Keep-alive thing. Useful when network kills connections without network communication. For example some proxies kill connection if there is no data exchange in 5-10 secs.

[AlessandroZ]

Thanks a lot for your answers. :+1:

usniper

On recent kernel it allows to globally "sniff" values in explicit points in program or library. Example - you can sniff ssh password during copying from one register to another. It will be zeroed immediately after that, so memory dump at arbitrary time will not work. There is no script-kiddy friendly way of using this.

Do you have the name of the function to monitor for ssh creds ? I didn't know this technic. It seems much more stable than backdoring pam.

[alxchk]

I didn't know this technic

This is homemade.. :D

It seems much more stable

It can crash your kernel )

than backdoring pam.

Backdoring for what? In case of password auth plaintext password stored in sshd anyway. You can use hashmon to find it ^^

Do you have the name of the function to monitor for ssh creds ?

It's a bit harder. I'll try to record a short video (or some screenshots) for you, in case you are interested in ^^

[alxchk]

https://asciinema.org/a/3JG9XmYsxseHP5GOzpcrEnWUF

[AlessandroZ]

Awesome, very cool and very interesting technique. Thanks a lot !!!!