paint-brush
How I’ve captured all passwords trying to ssh into my server!by@garciaj.uk
16,248 reads
16,248 reads

How I’ve captured all passwords trying to ssh into my server!

by Short Tech StoriesDecember 2nd, 2017
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

By default ssh logs out ssh attempts , wether they’re successful or not , what it doesn’t do by default is log out the passwords they’ve tried.

Company Mentioned

Mention Thumbnail
featured image - How I’ve captured all passwords trying to ssh into my server!
Short Tech Stories HackerNoon profile picture

By default ssh logs out ssh attempts , wether they’re successful or not , what it doesn’t do by default is log out the passwords they’ve tried.

So i thought it would be a good idea to slightly modify ssh to log them passwords too.

So here we go , you will need to quickly compile openssh , zlib and openssl

Note you have to have build essentials gcc glibc-devel and others…

Nothing to note up there other than:

sed -e 's/struct passwd \* pw = authctxt->pw;/logit("Honey: Username: %s Password: %s", authctxt->user, password);\nstruct passwd \* pw = authctxt->pw;/' -i auth-passwd.c

I am basically injecting a little logit() call before the struct definition , check the code of auth-passwd.c if you wanna know more about it.

So that will compile zlib , openssl and openssh and will prefix it all to

/opt/openssh2

You can start openssh as follows:

/opt/openssh2/dist/sbin/sshd -f /opt/openssh2/dist/etc/sshd_config

That should get the daemon going , and you can try a few fake attempts to login over ssh:

After 10 hours , the results are quite interesting:

First , countries that i got hits from: (Thanks to ipheatmap.azurewebsites.net)

Countries that sshed to my box

























































"HR Pula""CN Wuchuan""KR Seoul""DE Frankfurt am Main""NL ""CN Shenzhen""RU Yekaterinburg""RU Nyagan""US Boydton""CN Kunshan""CN Hefei""TH Kamphaeng Phet""CN Beijing""HK Hong Kong""IL Tel Aviv""FR ""PL Inowrocław""PL Krakow""IT Giugliano in Campania""FR Paris""GB London""VN Hanoi""VN Hanoi""VN Hanoi""CN Zhengding""CN Dongyangshi""CN Qingdao""CN Bengbu""CN Shanghai""US Los Angeles""IN Bengaluru""KR Seoul""KR Bucheon-si""KR Yangsan"" ""JP ""CL ""FR ""JP Tokyo""US Buffalo""HK ""CN Lianyungang""CN Beijing""US Chicago""AR Villa Allende""US Piscataway""AL ""BR Recife""IT Soci""CO Bucaramanga""AR ""TR Ağrı""FR ""CA Montreal""MY Kuala Selangor""FR Ivry-sur-seine""FR "

(Thanks to ipinfo.io) (you can curl it and jq it)

So now the most frequent passwords!







































46 password43 12345636 123429 admin29 1234517 abc12316 root11 support10 test10 1239 ubnt9 fucker9 fake8 raspberry8 guest8 admin1237 password1237 default7 1234567896 user6 alpine6 123456786 1111115 wubao5 ubuntu5 raspberrypi5 manager5 git5 12345674 system4 operator4 mysql4 14 00000043 waldo3 tomcat3 postgres3 pi

And the most used users were:(counting the attempts)


























1689 root72 admin31 test24 postgres21 jenkins14 user13 mysql12 support12 fake11 nagios11 deploy10 oracle10 guest9 mother9 hadoop8 vagrant8 tomcat8 pi8 git7 ubuntu6 zabbix6 weblogic6 user16 debian6 backup5 prueba

I’m gisting the full thing , so you can find look your fav password in there :)