Home

Awesome

3snake - dump sshd and sudo credential related strings

Disclaimer

I Wrote This In College

About

Targeting rooted servers, reads memory from sshd and sudo system calls that handle password based authentication. Doesn't write any memory to the traced processes. Spawns a new process for every sshd and sudo command that is run.

Listens for the proc event using netlink sockets to get candidate processes to trace. When it receives an sshd or sudo process ptrace is attached and traces read and write system calls, extracting strings related to password based authentication.

Don't really like the solution of backdooring openssh or installing a kernel module on target servers so I made this.

3snake

Build

make
./3snake -h
./3snake

Usage

Run in current terminal ./3snake

Daemonize and dump output to file ./3snake -d -o "/tmp/output_file.txt"

Configuration

Located in config.h

Limitations

Linux, ptrace enabled, /proc filesystem mounted

Todo

FeaturesX
OpenSSH server password authX
sudoX
suX
regex strings from processes~
ssh clientX

Licenses

MIT and Wrote This When In College