sh2log –A UNIX keylogging tool
一款*nix下的终端记录工具,不仅可以记录到击键信息,而且包括终端下的输出信息。
下载地址:http://packetstormsecurity.org/UNIX/loggers/sh2log-1.0.tgz
| /// File Name: | sh2log-1.0.tgz |
| Description: | sh2log is a PTY sniffing program that captures all keystrokes and console output of physical and virtual consoles. sh2log works as a userland keylogger and does not require installation of a kernel module. Consequently, it can be run on a wide range of different UNIX platforms: Linux, SunOS, BSD, AIX, etc. The essential method of use here is that it man in the middles standard shells. |
| Author: | Christophe Devine |
| MD5 Checksum: | 3742a060f5fdc97ee21bd8387a4bb80b |
sh2log — UNIX keylogging made easy ;-)
=======================================
1. What sh2log does
——————-
sh2log is a PTY sniffing program that captures all keystrokes and
console output of physical and virtual consoles. sh2log works as a
userland keylogger and does not require installation of a kernel
module. Consequently, it can be run on a wide range of different
UNIX platforms: Linux, SunOS, BSD, AIX, etc. This program provides
ready to use log files in a manner similar to the on-line sessions
available on www.takedown.com; it is mostly useful on honeypots.
sh2log can be activated on a per-user basis by simply changing the
login shell. You can also enable it for all users by replacing the
default shell (such as /bin/bash or /bin/ksh).
This program is meant to be used for legitimate purposes (such as
auditing user actions on a sensitive server) and is licensed under
the GPL. By using this program, you agree to comply to the terms
of the GPL license.
2. How to install it
——————–
2.1. Edit config.h and setup the following values:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CONNECT_IP IP address of the machine on which sh2logd runs
SERVER_PORT UDP port in use by sh2logd
REAL_SHELL_DIR Directory for the real shells (/bin/shells)
MAX_LOG_SIZE Maximum size before a new log file is created
secret This is a 128-bit symmetric key used to secure
the data when transmitted over the network.
2.2. Compile sh2log by simply running “make system”
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
System can be any of those: linux, freebsd, openbsd,
cygwin, sunos, aix, irix, hpux and osf.
2.3. Replace the original shell with sh2log and run sh2logd:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# mkdir /bin/shells/
# cp -p /bin/{sh,bash} /bin/shells/
# rm -f /bin/{sh,bash}
# cp -p sh2log /bin/bash
# cp -p sh2log /bin/sh
# ./sh2logd
If you see an error message about “bash: text file busy”, check
that you have rm’ed the file before copying sh2log over it. Also,
I’d recommended not running sh2log and sh2logd on the same machine.
Warning: /bin/sh is often a symlink to /bin/bash. DO NOT FORGET TO
CREATE “/bin/shells/sh” OR YOUR SYSTEM WILL BE UNUSABLE!
3. Monitoring your users: the interactive log parser
—————————————————-
Please try first to run ./parser with the provided sh2log example
file “test.bin”. Window resizing requires XTerm (not rxvt, eterm
or konsole) and a valid DISPLAY; or if you use PuTTY, try resizing
the window by hand.
The parser provides both non-interactive and interactive (takedown-
like) modes of operation. In interactive mode, you can pause, fast
forward (2x or 4x) and also follow in real time what the users are
doing one the system, and have a live view of all terminals.