Terminal Snooping2005-03-31

When running a shell server, at some point you may find the need to monitor or interact with another user's terminal. A number of kernel-based solutions exist such as Sebek from The Honeynet Project. I wanted something simpler and more elegant and was suggested by a contact to look into ttysnoop. ttysnoop is great- it allows you to selectively "attach" to a target user's terminal, view/interact as you please and detach when you are done. There is no need for a separate data store, any kernel modules or recompiling of any sort. Here is how I set it up to work with SSH on my Gentoo system:

First, I commented out the block of code responsible for the annoying startup sound and the line that prints "bye bye" when users close their session from ttysnoops.c:

    509: /*if (InitSound())
    510: {
    511:     DoSound(466, SLEN);     // A#4
    512:     DoSound(622, SLEN);     // D#5
    513:     DoSound(784, SLEN);     // G5
    514:     DoSound(932, SLEN*2);   // A#5
    515:     DoSound(784, SLEN);     // G5
    516:     DoSound(932, SLEN*3);   // A#5
    517: }*/


    661: if ((n = read(ptyfd, buff, BUFF_SIZE)) < 1)
    662: {
    663:     //errorf ("bye bye\n");
    664:     exit (0);
    665: }

I then compiled and installed the binaries (ttysnoop and ttysnoops) to /sbin. Next I created the /etc/snooptab file with the following single entry:

    * socket login /bin/login.orig

I then moved /bin/login to /bin/login.orig and created a symbolic link from /bin/login to /sbin/ttysnoops:

    # mv /bin/login /bin/login.orig
    # ln -s /sbin/ttysnoops /bin/login

Next, I modified the command line arguments to agetty in /etc/inittab to reference the original login binary:

    agetty -l /bin/login.orig

I then enabled the UseLogin option in sshd_config and restarted both sshd and init. I also created the ttysnoop spool directory as that is not done automatically:

    # echo "UseLogin yes" >> /etc/ssh/sshd_config
    # /etc/init.d/sshd restart
    # init q
    # mkdir /var/spool/ttysnoop/
    # chmod 700 /var/spool/ttysnoop/

At this point ttysnoop is up and running. I did come across one quirk with the control keys. While Ctrl + '\' was working for suspends, Ctrl + '-' was not detaching from the snoop device. I was about to change the TERM_CHAR define when I realized that Ctrl + '/' sends the appropriate key-code for me, so you may want to try that key combination if Ctrl + '-' is not working for you.

Python WMI2005-03-10

The Python WMI interface is very cool as it lets you write small yet functional snippets like the following print-job sniffer:

    import wmi

    w       = wmi.WMI()
    watcher = w.watch_for(
        notification_type = "Creation",
        wmi_class         = "Win32_PrintJob",
        delay_secs        = 1)

    while 1:
    job   = watcher()
    owner = str(job.Owner)

    print "user:    %s"  % (job.Owner)
    print "printer: %s"  % (job.Name)
    print "title:   %s"  % (job.Document)
    print "pages:   %d " % (job.TotalPages)
    print "-" * 80

The above snippet will watch the network for all print jobs and print the owner, document title, printer name and page count. More information about WMI (Windows Management Instrumentation) can be found on MSDN.

Collaborative Reverse Engineering2005-03-01

I am releasing the source for IDA Sync under the GPL license. IDA Sync is implemented as an IDA Pro plugin and stand alone server for the purpose of allowing multiple analysts to synchronize their reverse engineering efforts. IDA Sync is especially useful when speed reversing malware. This project has some quirks that need to be worked out still and is being released pre-production quality in hopes of getting some support from the open source community.

Metakit if you haven't heard of it is an extremely useful, lightweight and efficient embeddable database library. I use it in many of my internal projects, including IDA Sync which was released today. In the process of bundling IDA Sync, I found that the latest Python bindings are not compatible with Python 2.4. After some googling I still couldn't find the appropriate binding so I bit the bullet and did the compile myself. To save others the effort, I am making it available here.

Metakit Python 2.4 Windows Bindings