[ILUG] SSH dictionary attacks.
Badger
badger at scattermail.com
Thu Aug 24 17:08:41 IST 2006
I was generalising when I said "keystroke logger of sorts" - I was
actually thinking about some sort of simple logger that you could run
out of .bash_profile when the user loggers in. Alternatively, it could
be a wrapper for ssh that you place in the users ~/.bin and change their
$PATH. In such cases you wouldn't require extra privileges.
I take your point about detection though. It certainly carries a lot
more noise than making a copy of the users ssh key file.
On Thu, Aug 24, 2006 at 04:33:57PM +0100, paul at clubi.ie wrote:
> On Thu, 24 Aug 2006, Badger wrote:
>
> >If they can compromise the client then they could install a
> >keystoke logger of sorts and pick up the ssh password when ssh keys
> >are not being used.
>
> The keylogger attack:
>
> - requires privileges
> (the ssh key could be retrieved by breaching just the unprivileged
> user account)
>
> - can either be detected or removed quite easily
>
> - if it only modifies memory, a reboot and the logger is gone
>
> - if it modifies filesystem to reinsert itself after reboot
> then a boot from other media would allow one to detect the
> logger.
>
> The ssh key file can be stolen without the user ever noticing.
>
> regards,
> --
> Paul Jakma paul at clubi.ie paul at jakma.org Key ID: 64A2FF6A
> Fortune:
> Famous Original Ray's Superior Court
More information about the ILUG
mailing list