Saturday, 21 July 2012

typescript ssh sessions

Recently, I have found myself doing some investigative work on potentially compromised machines. Since I am more used to the opposite position, I have been finding new tools and techniques. Among other, I have found this interesting command script, which can be used to prove which actions where taken on a given machine by an investigator. When executed, script starts a new shell and keeps a record of all characters printed to the screen. The output is saved to a file passed as argument, and may be viewed using cat.
One interesting feature is the ability to capture an ssh session:


[root@web0 ~]# script 192_168_1_38_me_ssh.script -c 'ssh me@192.168.1.38' 
(...)
[root@web0 ~]# exit 
[root@web0 ~]# cat 192_168_1_38_me_ssh.script | cut -c1-75
Script started on Sat 21 Jul 2012 05:34:03 PM WEST
me@192.168.1.38's password: 
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-24-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/
Last login: Sat Jul 21 17:30:25 2012 from 192.168.1.37
me@minibuntu:~$ ls -lat /
total 84
drwxr-xr-x 14 root root   500 Jul 21 17:34 run
drwxrwxrwt  4 root root  4096 Jul 21 17:28 tmp
drwxr-xr-x 14 root root  4040 Jul 21 17:27 dev
drwxr-xr-x 81 root root  4096 Jul 21 17:27 etc
drwxr-xr-x 13 root root     0 Jul 21 17:27 sys
dr-xr-xr-x 72 root root     0 Jul 21 17:27 proc
drwxr-xr-x 11 root root  4096 Jul 21 17:27 var
drwxr-xr-x  4 root root  4096 May 20 04:24 opt
drwx------  3 root root  4096 May 20 02:47 root
drwxr-xr-x  3 root root  4096 May 18 23:24 home
drwxr-xr-x  2 root root  4096 May 18 23:23 sbin
drwxr-xr-x  3 root root  4096 May 18 23:23 boot
drwxr-xr-x  2 root root  4096 May 18 23:18 bin
drwxr-xr-x 20 root root  4096 May 18 23:18 lib
drwxr-xr-x 22 root root  4096 May 18 22:56 .
drwxr-xr-x 22 root root  4096 May 18 22:56 ..
lrwxrwxrwx  1 root root    33 May 18 22:56 vmlinuz -> boot/vmli
lrwxrwxrwx  1 root root    37 May 18 22:56 initrd.img -> /boot/
drwxr-xr-x 10 root root  4096 May 18 22:43 usr
drwxr-xr-x  2 root root  4096 May 18 22:43 srv
drwxr-xr-x  2 root root  4096 May 18 22:34 media
drwx------  2 root root 16384 May 18 22:34 lost+found
drwxr-xr-x  2 root root  4096 Apr 19 10:32 mnt
drwxr-xr-x  2 root root  4096 Mar  5 13:48 selinux
me@minibuntu:~$ ps auxew
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.4  0.7   3504  1860 ?        Ss   17:27   0:01 /sbin/init
root         2  0.0  0.0      0     0 ?        S    17:27   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    17:27   0:00 [ksoftirqd
root         4  0.0  0.0      0     0 ?        S    17:27   0:00 [kworker/0
root         5  0.1  0.0      0     0 ?        S    17:27   0:00 [kworker/u
root         6  0.0  0.0      0     0 ?        S    17:27   0:00 [migration
root         7  0.0  0.0      0     0 ?        S    17:27   0:00 [watchdog/
root         8  0.0  0.0      0     0 ?        S<   17:27   0:00 [cpuset]
root         9  0.0  0.0      0     0 ?        S<   17:27   0:00 [khelper]
root        10  0.0  0.0      0     0 ?        S    17:27   0:00 [kdevtmpfs
root        11  0.0  0.0      0     0 ?        S<   17:27   0:00 [netns]
root        12  0.0  0.0      0     0 ?        S    17:27   0:00 [sync_supe
root        13  0.0  0.0      0     0 ?        S    17:27   0:00 [bdi-defau
root        14  0.0  0.0      0     0 ?        S<   17:27   0:00 [kintegrit
root        15  0.0  0.0      0     0 ?        S<   17:27   0:00 [kblockd]
root        16  0.0  0.0      0     0 ?        S<   17:27   0:00 [ata_sff]
root        17  0.0  0.0      0     0 ?        S    17:27   0:00 [khubd]
root        18  0.0  0.0      0     0 ?        S<   17:27   0:00 [md]
root        19  0.0  0.0      0     0 ?        S    17:27   0:00 [kworker/u
root        20  0.1  0.0      0     0 ?        S    17:27   0:00 [kworker/0
root        21  0.0  0.0      0     0 ?        S    17:27   0:00 [khungtask
root        22  0.0  0.0      0     0 ?        S    17:27   0:00 [kswapd0]
root        23  0.0  0.0      0     0 ?        SN   17:27   0:00 [ksmd]
root        24  0.0  0.0      0     0 ?        S    17:27   0:00 [fsnotify_
root        25  0.0  0.0      0     0 ?        S    17:27   0:00 [ecryptfs-
root        26  0.0  0.0      0     0 ?        S<   17:27   0:00 [crypto]
root        34  0.0  0.0      0     0 ?        S<   17:27   0:00 [kthrotld]
root        37  0.0  0.0      0     0 ?        S    17:27   0:00 [scsi_eh_0
root        38  0.0  0.0      0     0 ?        S    17:27   0:00 [scsi_eh_1
root        39  0.0  0.0      0     0 ?        S    17:27   0:00 [scsi_eh_2
root        42  0.2  0.0      0     0 ?        S    17:27   0:01 [kworker/0
root        61  0.0  0.0      0     0 ?        S<   17:27   0:00 [devfreq_w
root       183  0.0  0.0      0     0 ?        S    17:27   0:00 [jbd2/sda1
root       184  0.0  0.0      0     0 ?        S<   17:27   0:00 [ext4-dio-
root       269  0.0  0.2   2816   608 ?        S    17:28   0:00 upstart-ud
root       271  0.0  0.4   3060  1204 ?        Ss   17:28   0:00 /sbin/udev
102        361  0.0  0.2   3240   648 ?        Ss   17:28   0:00 dbus-daemo
syslog     368  0.0  0.5  30020  1392 ?        Sl   17:28   0:00 rsyslogd -
root       372  0.0  0.0      0     0 ?        S<   17:28   0:00 [iprt]
root       435  0.0  0.1   2828   352 ?        S    17:28   0:00 upstart-so
root       459  0.0  0.0      0     0 ?        S<   17:28   0:00 [kpsmoused
root       509  0.0  0.2   3056   732 ?        S    17:28   0:00 /sbin/udev
root       513  0.0  0.3   3056   800 ?        S    17:28   0:00 /sbin/udev
root       531  0.0  0.0      0     0 ?        S    17:28   0:00 [flush-8:0
root       554  0.0  0.1   2908   404 ?        Ss   17:28   0:00 dhclient3 
root       576  0.0  0.9   6664  2424 ?        Ss   17:28   0:00 /usr/sbin/
root       666  0.0  0.3   4612   856 tty4     Ss+  17:28   0:00 /sbin/gett
root       669  0.0  0.3   4612   848 tty5     Ss+  17:28   0:00 /sbin/gett
root       672  0.0  0.3   4612   856 tty2     Ss+  17:28   0:00 /sbin/gett
root       674  0.0  0.3   4612   844 tty3     Ss+  17:28   0:00 /sbin/gett
root       677  0.0  0.3   4612   852 tty6     Ss+  17:28   0:00 /sbin/gett
root       682  0.0  0.3   2600   784 ?        Ss   17:28   0:00 cron
daemon     683  0.0  0.1   2452   352 ?        Ss   17:28   0:00 atd
mysql      701  0.2 13.4 317412 33392 ?        Ssl  17:28   0:00 /usr/sbin/
root       733  0.0  0.2   9092   512 ?        Sl   17:28   0:00 /usr/sbin/
root      1016  0.0  0.3   4612   848 tty1     Ss+  17:28   0:00 /sbin/gett
root      1140  0.7  1.2   9636  3096 ?        Ss   17:34   0:00 sshd: me [
me        1156  0.4  0.6   9636  1592 ?        S    17:34   0:00 sshd: me@p
me        1157  6.3  2.3   9488  5892 pts/0    Ss   17:34   0:00 -bash LANG
me        1257  0.0  0.4   4924  1168 pts/0    R+   17:34   0:00 ps auxew T
me@minibuntu:~$ exit
logout
Connection to 192.168.1.38 closed.

Script done on Sat 21 Jul 2012 05:34:37 PM WEST
 
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)