Covert Login Alerting

Reading time ~2 minutes

Intro

For the longest time I had the idea to implement a notification system that would alert you if someone ever logged in (or tried to login using a known password of yours).

Whether this was achieved from a previously compromised online account or just from guessing based on your personality. The objective should be that you are alerted as soon as possible. To this end I remember an app that was built by haroon@thinkst eons ago that worked on MacOS (https://thinkst.com/tools/itried/) and took a picture of who ever disturbed the mac’s screensaver.

I wanted to achieve something simliar for Linux and then hopefully windows at some point but only when someone tried to login using a known password (in theory it could be on any login). While the current implementation doesnt take a snapshot since its only hooked up to the ssh auth, you could in theory hook it up the a systems GUI login and capture those login attempts as well.

Initial Research

After some basic investigations I found that this can be done fairly easily using a Pluggable Authentication Module (PAM) module. This was its fairly dynamic and no major system changes are required.

Implementation

The final implementation was built using the pam_script module which lets you hook into PAM and call a shell script of your choice.

First we need to grab a copy of pam_script repo located @ https://github.com/jeroennijhof/pam_script. Once downloaded compile and install the library with the following commands :

cd pam_script #Assuming you arent already in the folder
autoreconf -i
./configure
make
make install

Once intalled we need to configure pam by adding the line below to the following file (/etc/pam.d/sshd). This location is based on my current setup and may differ depending on how pam is configured.

auth      optional  pam_script.so

Once we have pam configured we need to modify the script that is called when a user fails to login. On my system this is located @ /usr/local/etc/pam_script_auth. Note by default this is linked to a script located in the same folder , either modify the linked script or created a new script and update the link. I took the path of creating a new script and updating the link. You can find the demo script below.

#! /bin/sh

if [ $PAM_USER = "rc1140" ] && [ $PAM_AUTHTOK = "ThePoliceHaveMe" ]; then
  echo "the police are here" >> /tmp/alerts
  curl 'http://canarytokens.com/articles/n6p9nzmbq4o1o19vmvzxuqg8m/index.html'
fi

# success
exit 0

The script itself doesnt do much aside from echo’ing some text to a file and then calling a canary token. The canary token works nicely here since you can send the alert notification with very minimal infrastructure and without indicating who has been alerted. I tend to restart the ssh service to ensure that the pam modifications are loaded but this is probably not needed

Conclusion

That’s it really, you can probably make this way more complicated and covert with a full pam module or by modifying the source for the different login applications. The PAM method does provide a more generic and pluggable method though. Additionaly using pam_script makes this even more dynamic and easy to implement.

Embracing the ultra

# IntroThis past month marked the latest iteration of the 360one MTB and the culmination of months of training. In the end, it wasn't jus...… Continue reading

Cyber Apocalypse 2021 CTF

Published on April 24, 2021

Analysing Flutter Applications

Published on January 13, 2020