UGN Security


Posted By: spectre

Key-Wrapper - 05/31/03 01:12 PM

Note: this is talking about the *nix oses.

Alright, now there are keyloggers and tcp-ip wrappers. (UDP too, i guess). So here goes my question.

I was reading a past issue of 2600, volume 19 number 3, that discussed creating a fake game in order to trick a new user into giving the game their root password. For example, it would go like this (the output):

Error 14: flexer.dll not found
Fatal Error: Dropping to guest shell
Please su back to root.
$su root

Thats where the Key-Wrapper would come in. In this case, the game didn't ACTUALLY drop, but instead it simply is faking the new user into thinking there was a fatal error and giving the "game" their root password. Most advanced users would look at this and think it queer, but who knows how awake they are when they use it (3:00am linux game sessions. i think you know what I mean).

So what I was wondering is how to insert the equivilent of a TCP-Wrapper into your own system for keyboard input. After the information has been "input" (Carriage Return I guess...), the Wrapper would kick up, look at the information and where it is being sent. It would then have some sort of output:

Information "password" being sent to PID 779. Is this okay (Y/N)?

Maybe not even PID, but the actual program name. That way, if this situation did come around where you didn't know whether it was a real shell or a fake shell, this program would tell you "hey, sensitive data is being sent to this program!".

The program could be as simple as to simply check every single input with program arguments ('keywords' that the user wants under careful watch such as passwords) and if they match, have that output. Or it could have that output for every single input.

Now I could do all of the above except for one part, the most difficult one in my mind. How do I place the wrapper so it intercepts these inputs? Would I have to code it through the kernel, changing some of that information, or is there some system call I can change?

My idea now is to change the PATH location of the shell to my code. Then the code forwards the information to the shell and back or something -- but thats too upfront and in your face. I want a transparent program that scans in the background. I know that for a TCP-IP wrapper could can change the tcpd in inetd.conf (or xinetd) for the wrapper code. Is this possible with my kind of code?

an example wrapper:

Much thanks in advance (and tell me if it doesn't make any sense)
Posted By: spectre

Re: Key-Wrapper - 06/01/03 02:56 AM

incase you care, i found the article. its in 19.3, page 14. Coded by [email protected]_Rose. Just incase you cared...
Posted By: SilentRage

Re: Key-Wrapper - 06/12/03 08:16 PM

So what's the question. If something is possible? Practically anything is possible. The answer is yes.
Posted By: visage

Re: Key-Wrapper - 06/13/03 12:13 AM

Naw. I just was hoping you would code it for me wink

What I really want to know is where I would place a wrapper like that. I guess it requires knowledge of how the linux kernel works -- which i dont. So I guess my question is more linux related than code related: how does linux handle input from shells?

Maybe I should just create my own secure shell... :-\
Posted By: SilentRage

Re: Key-Wrapper - 06/13/03 01:11 AM

To intercept internet traffic and perhaps filter it you'd need to hook the ethernet card. The concept is the same whether you use windows or linux. The implementation may differ though. Reguardless, it is essentially a purpose-specific firewall. Does that answer your question?
Posted By: visage

Re: Key-Wrapper - 06/13/03 02:57 AM

I think you misunderstood my question. I didn't want a tcp wrapper. i could do that easily by putting it in inetd.conf.

I want a text-wrapper that takes whatever you are inputting in the keyboard (before you hit enter or something at shell) and scans it against a bunch of specific, crucial words. Like, a root password or soemthing so that you can only type in the root password into a pid that is a child of an SU or something.

Do you understand now?
Posted By: pergesu

Re: Key-Wrapper - 06/13/03 10:36 AM

That's the same concept as a keylogger dude. Find one and look at the code.
Posted By: SilentRage

Re: Key-Wrapper - 06/13/03 12:50 PM

*understands now*

A key-logger is not exactly what he's looking for since he doesn't want to scan ALL keys, just msgs sent to the shell. If it was a keylogger, he would have to try to not scan text input in an email or word processor etc. Also, what if the msg was sent to the shell via a program rather than the keyboard? He may want to filter that as well, dunno.

Is it possible? Yes. I do not know enough of the linux OS to know how programs handle input; How they recieve keystrokes and mouse messages etc. However, the technique would involve hooking the shell's input stream, which should be the same as hooking any running program's input stream on linux. I can't code it, I don't know how it's done, or from the top of my head - how to learn. But I do know it's possible.

And just because I feel like being a cynic, I don't find much use for a program like that. Security checks made at the prompt, and no place else. A purpose specific firewall would be infinitely more useful, and probably already exists. After all, who cares if a program records your password if it never leaves your computer.

*reads first post again*

although, maybe you DO want to intercept traffic sent to other programs (ie keylogger). Just because typing it at the commandline doesn't mean it goes through the shell. In the example above the shell never sees the password, it is the program emulating the shell. So a keylogger or a firewall is the better option.
© 2018 UGN Security Forum