CN117201072A - User password acquisition method, device, equipment and storage medium - Google Patents
User password acquisition method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN117201072A CN117201072A CN202310947652.5A CN202310947652A CN117201072A CN 117201072 A CN117201072 A CN 117201072A CN 202310947652 A CN202310947652 A CN 202310947652A CN 117201072 A CN117201072 A CN 117201072A
- Authority
- CN
- China
- Prior art keywords
- openssh
- user password
- service process
- shellcode
- ssh session
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 219
- 230000008569 process Effects 0.000 claims abstract description 162
- 238000012795 verification Methods 0.000 claims description 20
- 230000006870 function Effects 0.000 claims description 14
- 238000002347 injection Methods 0.000 claims description 5
- 239000007924 injection Substances 0.000 claims description 5
- 238000012544 monitoring process Methods 0.000 claims description 5
- 238000013507 mapping Methods 0.000 claims description 3
- 230000035515 penetration Effects 0.000 abstract description 13
- 238000010586 diagram Methods 0.000 description 7
- 230000008901 benefit Effects 0.000 description 6
- 238000004590 computer program Methods 0.000 description 6
- 230000009471 action Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 239000000203 mixture Substances 0.000 description 3
- 230000004075 alteration Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005215 recombination Methods 0.000 description 1
- 230000006798 recombination Effects 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The embodiment discloses a user password acquisition method, device, equipment and storage medium. Wherein the method comprises the following steps: injecting Shellcode into an OpenSSH service process through an initial program; loading a main program into the OpenSSH service process by executing the Shellcode; and running the main program, controlling the subprocesses of the OpenSSH service process according to the identity of the OpenSSH service process, and acquiring the user password. The method can enable the penetration tester to acquire the user password from the OpenSSH service process at any time, and does not need to restart the OpenSSH service process, so that the normal operation of the OpenSSH service process is not affected, any system file is not required to be replaced, and the system integrity is ensured.
Description
Technical Field
The disclosure relates to the technical field of data security, and in particular relates to a method, a device, equipment and a storage medium for acquiring a user password.
Background
The Linux operating system is mainly applied to cloud servers and embedded devices, the OpenSSH service is SSH service software which is quite widely applied, and the Linux operating system usually uses the OpenSSH service software to conduct remote management service. Users typically need to enter a username and password in the target Linux operating system to verify their identity when using the OpenSSH service. The OpenSSH service, upon receiving a request from a client, initiates a sub-process (session process) to process and communicate with its request.
In the related technology, the SSH backdoor is widely applied to the legal penetration test process of the security industry, and the premise of the SSH backdoor operation is to recompile an SSH service program, so that the SSH service program is provided with a backdoor code for recording a password, and the original program file is replaced. In the method, the original program file needs to be replaced by reading the password through the OpenSSH service in the penetration test process, so that the integrity of the system is damaged, and the system is not hidden; in addition, in order to validate the SSH program with the back door, the OpenSSH service must be restarted, affecting the normal operation of the OpenSSH service.
Disclosure of Invention
In view of this, the embodiments of the present disclosure provide a method, an apparatus, a device, and a storage medium for obtaining a user password, which enable a penetration tester to obtain a user password from an OpenSSH service process at any time, without restarting the OpenSSH service process, so that normal operation of the OpenSSH service process is not affected, and any system file is not required to be replaced, thereby ensuring system integrity.
In a first aspect, an embodiment of the present disclosure provides a method for obtaining a user password, which adopts the following technical scheme:
injecting Shellcode into an OpenSSH service process through an initial program;
loading a main program into the OpenSSH service process by executing the Shellcode;
and running the main program, controlling the subprocesses of the OpenSSH service process according to the identity of the OpenSSH service process, and acquiring the user password.
In some embodiments, before injecting the Shellcode into the OpenSSH service process by the initial program, the method further comprises:
reading the memory mapping of the OpenSSH service process to calculate a function address used for loading a third-party ELF file in a Glibc library;
filling corresponding address values in the shellcode by using the function address, and setting corresponding calling parameters;
taking over the OpenSSH service process by using a ptrace system call, and storing the state of the OpenSSH service process;
injecting the shellcode into the OpenSSH service process, and executing the shellcode.
In some embodiments, loading a main program into the OpenSSH service process by executing the Shellcode includes:
and loading a main program into the OpenSSH service process in the form of a dynamic link library by executing the Shellcode.
In some embodiments, running the main program to control a sub-process of the OpenSSH service process with the identity of the OpenSSH service process and obtain a user password includes:
detecting state information of the subprocesses;
when an SSH session process is detected, creating a separate thread for monitoring the SSH session process;
executing the separate thread to obtain the user password.
In some embodiments, executing the separate thread to obtain the user password includes:
taking over the SSH session process through a ptrace system call, and automatically suspending the SSH session process;
searching the memory space of the SSH session process to locate the feature code segment in the SSH session process;
when the feature code segment is positioned, setting a first interrupt code of one byte in the feature code segment according to a preset rule;
running the SSH session process, and interrupting operation of the SSH session process when the SSH session process executes the first interrupt code, and continuing to take over the SSH session process through the ptrace system call;
and reading the stack memory space, and acquiring a password verification result and a user password of the SSH session process.
In some embodiments, after obtaining the password authentication result of the SSH session process and the user password, the method further comprises:
restoring the first interrupt code to the original code of the feature code segment;
returning a program pointer to a home position so that the SSH session process executes the original code;
and continuously setting a second interrupt code in the feature code segment according to a preset rule.
In some embodiments, after continuing to set the second interrupt code in the feature code segment according to a preset rule, the method further comprises:
after the second interrupt code is set, continuing to execute the SSH session process;
when the password verification result is a password error, sending prompt information of the user password verification error;
the SSH session process continues to run, and interrupts operation when the second interrupt code is executed, and re-executes user password verification operation;
when the password verification result is that the password is correct, the user normally logs in the OpenSSH service process and stores the correct user password.
In a second aspect, an embodiment of the present disclosure further provides a user password obtaining device, which adopts the following technical scheme:
an injection unit configured to inject Shellcode into an OpenSSH service process through an initial program;
a loading unit configured to load a main program into the OpenSSH service process by executing the Shellcode;
and the acquisition unit is configured to run the main program, control the subprocesses of the OpenSSH service process according to the identity of the OpenSSH service process and acquire the user password.
In a third aspect, an embodiment of the present disclosure further provides an electronic device, which adopts the following technical scheme:
the electronic device includes:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform any one of the user password acquisition methods described above.
In a fourth aspect, the disclosed embodiments also provide a computer-readable storage medium storing computer instructions for causing a computer to perform any one of the above-described user password acquisition methods.
According to the user password acquisition method provided by the embodiment of the disclosure, a penetration tester can acquire the user password from the OpenSSH service process at any time, and the OpenSSH service process does not need to be restarted, so that the normal operation of the OpenSSH service process is not affected, any system file does not need to be replaced, and the integrity of the system is ensured.
The foregoing description is only an overview of the disclosed technology, and may be implemented in accordance with the disclosure of the present disclosure, so that the above-mentioned and other objects, features and advantages of the present disclosure can be more clearly understood, and the following detailed description of the preferred embodiments is given with reference to the accompanying drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and other drawings may be obtained according to these drawings without inventive effort to a person of ordinary skill in the art.
Fig. 1 is a flow chart of a method for obtaining a user password according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of a user password obtaining device according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
Embodiments of the present disclosure are described in detail below with reference to the accompanying drawings.
It should be appreciated that the following specific embodiments of the disclosure are described in order to provide a better understanding of the present disclosure, and that other advantages and effects will be apparent to those skilled in the art from the present disclosure. It will be apparent that the described embodiments are merely some, but not all embodiments of the present disclosure. The disclosure may be embodied or practiced in other different specific embodiments, and details within the subject specification may be modified or changed from various points of view and applications without departing from the spirit of the disclosure. It should be noted that the following embodiments and features in the embodiments may be combined with each other without conflict. All other embodiments, which can be made by one of ordinary skill in the art without inventive effort, based on the embodiments in this disclosure are intended to be within the scope of this disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the following claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the present disclosure, one skilled in the art will appreciate that one aspect described herein may be implemented independently of any other aspect, and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. In addition, such apparatus may be implemented and/or such methods practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
It should also be noted that the illustrations provided in the following embodiments merely illustrate the basic concepts of the disclosure by way of illustration, and only the components related to the disclosure are shown in the drawings and are not drawn according to the number, shape and size of the components in actual implementation, and the form, number and proportion of the components in actual implementation may be arbitrarily changed, and the layout of the components may be more complicated.
In addition, in the following description, specific details are provided in order to provide a thorough understanding of the examples. However, it will be understood by those skilled in the art that the aspects may be practiced without these specific details.
Fig. 1 is a flowchart of a user password obtaining method provided by an embodiment of the present disclosure, where the user password obtaining method provided by the embodiment of the present disclosure includes the following steps:
s101, injecting Shellcode into an OpenSSH service process through an initial program.
Optionally, the OpenSSH service process is SSH service software with wider application, and the Linux operating system generally uses the OpenSSH service process to perform remote management service, and a user needs to input a user name and a password in the target Linux system to verify the identity of the user by using the OpenSSH service process. When receiving a client request, the OpenSSH service process starts a subprocess to process and communicate with the client request, wherein the subprocess is an SSH session process.
Alternatively, shellcode refers to a piece of assembler instruction code that can implement a specific function for directly replacing the execution flow of the current process.
S102, loading the main program into the OpenSSH service process by executing a Shellcode.
And S103, running a main program, controlling the subprocesses of the OpenSSH service process by using the identity of the OpenSSH service process, and acquiring the user password.
The user password acquisition method provided by the embodiment of the disclosure can solve the problem that the existing OpenSSH service process needs to be restarted when the user password is acquired from the OpenSSH service process in the penetration test process, and can solve the problem that the system file needs to be modified when the user password is read through the OpenSSH service process in the penetration test process so as to damage the integrity of the system. Therefore, a penetration tester can acquire a user password from the OpenSSH service process at any time, the OpenSSH service process does not need to be restarted, the normal operation of the OpenSSH service process is not affected, any system file does not need to be replaced, and the system integrity is ensured.
In some embodiments, before injecting the Shellcode into the OpenSSH service process by the initial program, the method further comprises:
reading the memory mapping of the OpenSSH service process to calculate the function address used for loading the third-party ELF file in the Glibc library;
filling corresponding address values in shellcode by using function addresses, and setting corresponding calling parameters;
taking over an OpenSSH service process by using a ptrace system call, and storing the state of the OpenSSH service process;
shellcode is injected into the OpenSSH service process and shellcode is executed.
Optionally, the Ptrace system call is a Linux system call, which is used to take over and control a target process, debug it, and in the embodiment of the disclosure, the Ptrace system call is used to control the OpenSSH service process and read the plaintext password stored in the OpenSSH service process.
Alternatively, the Glibc library is the most common C runtime of Linux systems.
Alternatively, the function address in the Glibc library for loading the third party ELF file is calculated, wherein the function may be an internal function __ libc_dlopen_mode, __ libc_dlopen_mode function of the Glibc library that is used to load and initialize a ELF shared object file that may be executed at the time of loading.
In some embodiments, loading the main program into the OpenSSH service process by executing a Shellcode includes:
the main program is loaded into the OpenSSH service process in the form of a dynamic link library by executing a Shellcode.
The embodiment of the disclosure loads the main program into the OpenSSH service process in the form of a dynamic link library, is invisible in the process list, and can be disguised as a legal dynamic link library, thereby maximizing the concealment.
In some embodiments, running the main program to control the sub-process of the OpenSSH service process with the identity of the OpenSSH service process and obtain the user password includes:
detecting state information of the subprocesses;
when the SSH session process is detected, creating a separate thread for monitoring the SSH session process;
a separate thread is executed to obtain the user password.
The embodiments of the present disclosure determine whether an SSH session process occurs by monitoring a current process, that is, a sub-process change of an OpenSSH service process, and if the sub-process, that is, the SSH session process occurs, execute a separate thread for monitoring the SSH session process and acquiring a user password.
In some embodiments, executing a separate thread to obtain the user password includes:
taking over the SSH session process through the ptrace system call, and automatically suspending the SSH session process;
searching the memory space of the SSH session process to locate the feature code segment in the SSH session process;
when the feature code segment is positioned, setting a first interrupt code of one byte in the feature code segment according to a preset rule; for example, replacing a byte of 0xCC code at the beginning of the feature code segment, wherein the 0xCC code is an interrupt instruction;
operating an SSH session process, interrupting the operation of the SSH session process when the SSH session process executes the first interrupt code, and continuing to take over the SSH session process through the ptrace system call;
at this time, the state of the OpenSSH service process is just password verification, so that the stack memory space can be read, and the password verification result of the SSH session process and the user password can be obtained.
Alternatively, when the OpenSSH service process is running, the code location of the OpenSSH service process for the password authentication portion cannot be known, and thus it is necessary to locate the code, and thus by setting an interrupt code, the user password is read here. Embodiments of the present disclosure provide for reading a user password at the location of an interrupt code by setting the interrupt code in a feature code segment.
In some embodiments, after obtaining the password authentication result of the SSH session process and the user password, the method further comprises:
restoring the first interrupt code to the original code of the feature code segment;
the program pointer is turned back to the original position so that the SSH session process executes the original code;
and continuously setting a second interrupt code in the feature code segment according to a preset rule.
In some embodiments, after continuing to set the second interrupt code in the feature code segment according to the preset rule, the method further comprises:
after the second interrupt code is set, continuing to execute the SSH session process;
when the password verification result is a password error, sending prompt information of the user password verification error;
the SSH session process continues to run, and when the second interrupt code is executed, the operation is interrupted, and the user password verification operation is executed again;
when the password verification result is that the password is correct, the user normally logs in the OpenSSH service process and stores the correct user password.
The embodiment of the disclosure can verify the correctness of the password and avoid invalid records.
For example, when a penetration tester tries to obtain a user password of a Linux system on a Linux host, the penetration tester uses an initial program provided by an embodiment of the present disclosure to inject a Shellcode into an OpenSSH service process, and then the Shellcode loads a main program of the embodiment of the present disclosure into the OpenSSH service process and runs the main program. At this time, the user of the Linux host tries to log in to the OpenSSH service process of the Linux system. The penetration tester enters his own user name and password, and the wrong password is submitted at this time. The main program of the embodiment of the disclosure intercepts the error password, then discovers that the password is an invalid password by checking a corresponding password verification result in the memory, gives up recording the password, and sends prompt information of user password verification errors to the client. And the subprocess of the OpenSSH service process (namely SSH session process) is restored, and the penetration tester is waited for submitting the password again. The penetration tester receives the prompt information of the password error, and then resubmits the correct password, and the embodiment of the disclosure intercepts the password again through the main program, verifies that the password is valid, records the correct user and resumes the SSH session process. The user normally logs in the OpenSSH service process, and the embodiment of the disclosure can uninstall the main program.
The disclosed embodiments employ shared object injection techniques to inject the main program of the disclosed embodiments into the OpenSSH service process using Shellcode without generating other processes and file behaviors. After the injection, the main program can control the sub-process (SSH session process) by the identity of the OpenSSH service process and read the user password. The embodiment of the disclosure uses memory searching and characteristic code segment technology to locate codes in an OpenSSH service process, thereby locating a section of unique code block responsible for a password verification part and performing password reading operation; in addition, the embodiment of the disclosure can read the result of the password verification of the OpenSSH service process while reading the password, and judge the effectiveness of the password according to the result, so as to avoid invalid records.
Fig. 2 is a schematic structural diagram of a user password obtaining device provided by an embodiment of the present disclosure, where the user password obtaining device provided by the embodiment of the present disclosure includes:
an injection unit 21 configured to inject Shellcode into an OpenSSH service process through an initial program;
a loading unit 22 configured to load a main program into the OpenSSH service process by executing a Shellcode;
the obtaining unit 23 is configured to run the main program, control the sub-process of the OpenSSH service process with the identity of the OpenSSH service process, and obtain the user password.
An electronic device according to an embodiment of the present disclosure includes a memory and a processor. The memory is for storing non-transitory computer readable instructions. In particular, the memory may include one or more computer program products, which may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, random Access Memory (RAM) and/or cache memory (cache), and the like. The non-volatile memory may include, for example, read Only Memory (ROM), hard disk, flash memory, and the like.
The processor may be a Central Processing Unit (CPU) or other form of processing unit having data processing and/or instruction execution capabilities, and may control other components in the electronic device to perform the desired functions. In one embodiment of the present disclosure, the processor is configured to execute the computer readable instructions stored in the memory, to cause the electronic device to perform all or part of the steps of a user password acquisition method of the embodiments of the present disclosure described above.
It should be understood by those skilled in the art that, in order to solve the technical problem of how to obtain a good user experience effect, the present embodiment may also include well-known structures such as a communication bus, an interface, and the like, and these well-known structures are also included in the protection scope of the present disclosure.
Fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the disclosure. A schematic diagram of an electronic device suitable for use in implementing embodiments of the present disclosure is shown. The electronic device shown in fig. 3 is merely an example and should not be construed to limit the functionality and scope of use of the disclosed embodiments.
As shown in fig. 3, the electronic device may include a processor (e.g., a central processing unit, a graphic processor, etc.) that may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) or a program loaded from a storage device into a Random Access Memory (RAM). In the RAM, various programs and data required for the operation of the electronic device are also stored. The processor, ROM and RAM are connected to each other by a bus. An input/output (I/O) interface is also connected to the bus.
In general, the following devices may be connected to the I/O interface: input means including, for example, sensors or visual information gathering devices; output devices including, for example, display screens and the like; storage devices including, for example, magnetic tape, hard disk, etc.; a communication device. The communication means may allow the electronic device to communicate wirelessly or by wire with other devices, such as edge computing devices, to exchange data. While fig. 3 shows an electronic device having various means, it is to be understood that not all of the illustrated means are required to be implemented or provided. More or fewer devices may be implemented or provided instead.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a non-transitory computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via a communication device, or installed from a storage device, or installed from ROM. All or part of the steps of a user password acquisition method of an embodiment of the present disclosure are performed when the computer program is executed by a processor.
The detailed description of the present embodiment may refer to the corresponding description in the foregoing embodiments, and will not be repeated herein.
A computer-readable storage medium according to an embodiment of the present disclosure has stored thereon non-transitory computer-readable instructions. When executed by a processor, perform all or part of the steps of a user password acquisition method of embodiments of the present disclosure described above.
The computer-readable storage medium described above includes, but is not limited to: optical storage media (e.g., CD-ROM and DVD), magneto-optical storage media (e.g., MO), magnetic storage media (e.g., magnetic tape or removable hard disk), media with built-in rewritable non-volatile memory (e.g., memory card), and media with built-in ROM (e.g., ROM cartridge).
The detailed description of the present embodiment may refer to the corresponding description in the foregoing embodiments, and will not be repeated herein.
The basic principles of the present disclosure have been described above in connection with specific embodiments, however, it should be noted that the advantages, benefits, effects, etc. mentioned in the present disclosure are merely examples and not limiting, and these advantages, benefits, effects, etc. are not to be considered as necessarily possessed by the various embodiments of the present disclosure. Furthermore, the specific details disclosed herein are for purposes of illustration and understanding only, and are not intended to be limiting, since the disclosure is not necessarily limited to practice with the specific details described.
In this disclosure, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions, and the block diagrams of devices, apparatuses, devices, systems involved in this disclosure are merely illustrative examples and are not intended to require or implicate that connections, arrangements, configurations must be made in the manner shown in the block diagrams. As will be appreciated by one of skill in the art, the devices, apparatuses, devices, systems may be connected, arranged, configured in any manner. Words such as "including," "comprising," "having," and the like are words of openness and mean "including but not limited to," and are used interchangeably therewith. The terms "or" and "as used herein refer to and are used interchangeably with the term" and/or "unless the context clearly indicates otherwise. The term "such as" as used herein refers to, and is used interchangeably with, the phrase "such as, but not limited to.
In addition, as used herein, the use of "or" in the recitation of items beginning with "at least one" indicates a separate recitation, such that recitation of "at least one of A, B or C" for example means a or B or C, or AB or AC or BC, or ABC (i.e., a and B and C). Furthermore, the term "exemplary" does not mean that the described example is preferred or better than other examples.
It is also noted that in the systems and methods of the present disclosure, components or steps may be disassembled and/or assembled. Such decomposition and/or recombination should be considered equivalent to the present disclosure.
Various changes, substitutions, and alterations are possible to the techniques described herein without departing from the teachings of the techniques defined by the appended claims. Furthermore, the scope of the claims of the present disclosure is not limited to the particular aspects of the process, machine, manufacture, composition of matter, means, methods and acts described above. The processes, machines, manufacture, compositions of matter, means, methods, or acts, presently existing or later to be developed that perform substantially the same function or achieve substantially the same result as the corresponding aspects described herein may be utilized. Accordingly, the appended claims are intended to include within their scope such processes, machines, manufacture, compositions of matter, means, methods, or acts.
The previous description of the disclosed aspects is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects without departing from the scope of the disclosure. Thus, the present disclosure is not intended to be limited to the aspects shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing description has been presented for purposes of illustration and description. Furthermore, this description is not intended to limit the embodiments of the disclosure to the form disclosed herein. Although a number of example aspects and embodiments have been discussed above, a person of ordinary skill in the art will recognize certain variations, modifications, alterations, additions, and subcombinations thereof.
Claims (10)
1. A method for obtaining a user password, comprising:
injecting Shellcode into an OpenSSH service process through an initial program;
loading a main program into the OpenSSH service process by executing the Shellcode;
and running the main program, controlling the subprocesses of the OpenSSH service process according to the identity of the OpenSSH service process, and acquiring the user password.
2. The user password acquisition method according to claim 1, wherein before Shellcode is injected into the OpenSSH service process by an initial program, the method further comprises:
reading the memory mapping of the OpenSSH service process to calculate a function address used for loading a third-party ELF file in a Glibc library;
filling corresponding address values in the shellcode by using the function address, and setting corresponding calling parameters;
taking over the OpenSSH service process by using a ptrace system call, and storing the state of the OpenSSH service process;
injecting the shellcode into the OpenSSH service process, and executing the shellcode.
3. The user password acquisition method according to claim 1, wherein loading a main program into the OpenSSH service process by executing the Shellcode includes:
and loading a main program into the OpenSSH service process in the form of a dynamic link library by executing the Shellcode.
4. The method according to claim 1, wherein running the main program to control a sub-process of the OpenSSH service process with an identity of the OpenSSH service process and obtain a user password includes:
detecting state information of the subprocesses;
when an SSH session process is detected, creating a separate thread for monitoring the SSH session process;
executing the separate thread to obtain the user password.
5. The user password acquisition method of claim 4, wherein executing the separate thread to acquire the user password comprises:
taking over the SSH session process through a ptrace system call, and automatically suspending the SSH session process;
searching the memory space of the SSH session process to locate the feature code segment in the SSH session process;
when the feature code segment is positioned, setting a first interrupt code of one byte in the feature code segment according to a preset rule;
running the SSH session process, and interrupting operation of the SSH session process when the SSH session process executes the first interrupt code, and continuing to take over the SSH session process through the ptrace system call;
and reading the stack memory space, and acquiring a password verification result and a user password of the SSH session process.
6. The user password acquisition method according to claim 5, wherein after acquiring the password authentication result of the SSH session process and the user password, the method further comprises:
restoring the first interrupt code to the original code of the feature code segment;
returning a program pointer to a home position so that the SSH session process executes the original code;
and continuously setting a second interrupt code in the feature code segment according to a preset rule.
7. The user password acquisition method according to claim 6, wherein after continuing to set a second interrupt code in the feature code section according to a preset rule, the method further comprises:
after the second interrupt code is set, continuing to execute the SSH session process;
when the password verification result is a password error, sending prompt information of the user password verification error;
the SSH session process continues to run, and interrupts operation when the second interrupt code is executed, and re-executes user password verification operation;
when the password verification result is that the password is correct, the user normally logs in the OpenSSH service process and stores the correct user password.
8. A user password acquisition apparatus, comprising:
an injection unit configured to inject Shellcode into an OpenSSH service process through an initial program;
a loading unit configured to load a main program into the OpenSSH service process by executing the Shellcode;
and the acquisition unit is configured to run the main program, control the subprocesses of the OpenSSH service process according to the identity of the OpenSSH service process and acquire the user password.
9. An electronic device, the electronic device comprising:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the user password acquisition method of any one of claims 1 to 7.
10. A computer-readable storage medium storing computer instructions for causing a computer to perform the user password acquisition method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310947652.5A CN117201072B (en) | 2023-07-31 | 2023-07-31 | User password acquisition method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310947652.5A CN117201072B (en) | 2023-07-31 | 2023-07-31 | User password acquisition method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117201072A true CN117201072A (en) | 2023-12-08 |
| CN117201072B CN117201072B (en) | 2024-06-14 |
Family
ID=88996866
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310947652.5A Active CN117201072B (en) | 2023-07-31 | 2023-07-31 | User password acquisition method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117201072B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105956474A (en) * | 2016-05-17 | 2016-09-21 | 武汉虹旭信息技术有限责任公司 | Abnormal behavior detection system of Android platform software |
| CN107122656A (en) * | 2017-04-26 | 2017-09-01 | 北京洋浦伟业科技发展有限公司 | It is a kind of that the outside method and apparatus debugged are prevented by Self-debugging |
| US20170339166A1 (en) * | 2016-05-18 | 2017-11-23 | Salesforce.Com, Inc. | Reverse shell network intrusion detection |
| US20180089432A1 (en) * | 2016-09-29 | 2018-03-29 | Trap Data Security Ltd. | System and method for characterizing malware |
| CN112181540A (en) * | 2020-09-28 | 2021-01-05 | 中孚安全技术有限公司 | A method and system for implementing hook on Linux application layer |
| CN114666104A (en) * | 2022-03-09 | 2022-06-24 | 国能信息技术有限公司 | Penetration testing method, system, computer equipment and storage medium |
-
2023
- 2023-07-31 CN CN202310947652.5A patent/CN117201072B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105956474A (en) * | 2016-05-17 | 2016-09-21 | 武汉虹旭信息技术有限责任公司 | Abnormal behavior detection system of Android platform software |
| US20170339166A1 (en) * | 2016-05-18 | 2017-11-23 | Salesforce.Com, Inc. | Reverse shell network intrusion detection |
| US20180089432A1 (en) * | 2016-09-29 | 2018-03-29 | Trap Data Security Ltd. | System and method for characterizing malware |
| CN107122656A (en) * | 2017-04-26 | 2017-09-01 | 北京洋浦伟业科技发展有限公司 | It is a kind of that the outside method and apparatus debugged are prevented by Self-debugging |
| CN112181540A (en) * | 2020-09-28 | 2021-01-05 | 中孚安全技术有限公司 | A method and system for implementing hook on Linux application layer |
| CN114666104A (en) * | 2022-03-09 | 2022-06-24 | 国能信息技术有限公司 | Penetration testing method, system, computer equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 付治钧 等: "基于Linux共享库注射技术的网络诱骗系统设计", 计算机工程与设计, no. 05, 16 March 2007 (2007-03-16) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117201072B (en) | 2024-06-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8364973B2 (en) | Dynamic generation of integrity manifest for run-time verification of software program | |
| US20190132348A1 (en) | Vulnerability scanning of attack surfaces | |
| US8701187B2 (en) | Runtime integrity chain verification | |
| US9606905B2 (en) | Systems, methods, and media for testing software patches | |
| CN110334515B (en) | Method and device for generating measurement report based on trusted computing platform | |
| CN109241745B (en) | A trusted startup method and device for a computing platform | |
| AU2021206497A1 (en) | Method and apparatus for authority control, computer device and storage medium | |
| CN105159744A (en) | Virtual machine measurement method and apparatus | |
| US20180004940A1 (en) | Method and apparatus for generating dynamic security module | |
| CN113391874B (en) | Virtual machine detection countermeasure method and device, electronic equipment and storage medium | |
| US11055416B2 (en) | Detecting vulnerabilities in applications during execution | |
| CN110399719A (en) | BIT file loading method, apparatus, device and computer-readable storage medium | |
| JP2019003275A (en) | Confirmation system, controller and confirmation method | |
| CN114371859A (en) | Application software RASP program update method, server, electronic device and storage medium | |
| CN117688551A (en) | Startup path white list updating method and device, electronic equipment and storage medium | |
| JP7696063B2 (en) | Method for detecting anomalies indicative of manipulation during secure boot operations of a software-controlled device | |
| CN117201072B (en) | User password acquisition method, device, equipment and storage medium | |
| CN113094281A (en) | Hybrid App testing method and device | |
| CN114282205B (en) | Firmware startup method and device, and computer-readable storage medium | |
| JP6656107B2 (en) | Test device and test program for monitoring device | |
| CN112464225B (en) | Request processing method, request processing device and computer readable storage medium | |
| CN110908725A (en) | Application program starting method and device, electronic equipment and readable medium | |
| CN109446056B (en) | Code verification method and device, electronic equipment and medium | |
| WO2018194568A1 (en) | Executing processes in sequence | |
| CN111625824A (en) | IAST-based security test method and device, electronic device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |