CN112926050A - Method for acquiring SSH encrypted content based on HOOK technology and application thereof - Google Patents
Method for acquiring SSH encrypted content based on HOOK technology and application thereof Download PDFInfo
- Publication number
- CN112926050A CN112926050A CN202110160507.3A CN202110160507A CN112926050A CN 112926050 A CN112926050 A CN 112926050A CN 202110160507 A CN202110160507 A CN 202110160507A CN 112926050 A CN112926050 A CN 112926050A
- Authority
- CN
- China
- Prior art keywords
- information
- ssh
- module
- data
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 238000005516 engineering process Methods 0.000 title claims abstract description 18
- 230000006870 function Effects 0.000 claims abstract description 46
- 230000008569 process Effects 0.000 claims abstract description 36
- 238000004891 communication Methods 0.000 claims abstract description 9
- 238000012545 processing Methods 0.000 claims description 37
- 101100238758 Homo sapiens MTA2 gene Proteins 0.000 claims description 31
- 102100037511 Metastasis-associated protein MTA2 Human genes 0.000 claims description 31
- 101150017197 PID gene Proteins 0.000 claims description 31
- 238000001824 photoionisation detection Methods 0.000 claims description 31
- 238000012217 deletion Methods 0.000 claims description 25
- 230000037430 deletion Effects 0.000 claims description 25
- 238000007726 management method Methods 0.000 claims description 12
- 238000004458 analytical method Methods 0.000 claims description 11
- 238000004140 cleaning Methods 0.000 claims description 9
- 238000007405 data analysis Methods 0.000 claims description 9
- 238000013486 operation strategy Methods 0.000 claims description 9
- 230000002159 abnormal effect Effects 0.000 claims description 6
- 230000036316 preload Effects 0.000 claims description 6
- 230000009467 reduction Effects 0.000 claims description 6
- 230000007246 mechanism Effects 0.000 claims description 5
- 238000012550 audit Methods 0.000 claims description 3
- 238000011217 control strategy Methods 0.000 claims description 3
- 238000013481 data capture Methods 0.000 claims description 3
- 230000003993 interaction Effects 0.000 claims description 3
- 230000006399 behavior Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 5
- 101150093240 Brd2 gene Proteins 0.000 description 3
- 208000032826 Ring chromosome 3 syndrome Diseases 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000003637 basic solution Substances 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/362—Software debugging
- G06F11/3636—Software debugging by tracing the execution of the program
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- Quality & Reliability (AREA)
- Computing Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention relates to the technical field of network security, in particular to a method for acquiring SSH encrypted content based on a HOOK technology, which searches for HOOK points by tracking, debugging and analyzing an SSH server program and a database client program, acquires clear text data after SSH communication decryption through all the HOOK points, and finally analyzes the data to acquire SSH encrypted user operation command content; analyzing an SSH server program, using a strand to dynamically track sshd processes, finding a hook point read function, finding that only part of data of a database cannot be captured, debugging the database client programs through a GDB, and finding new functions such as hook points fgets and fwrite; and acquiring and recording the content decrypted by the SSH communication through all hook points, and then acquiring the SSH encrypted content through analyzing the data.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method for acquiring SSH encrypted content based on a HOOK technology.
Background
SSH is mainly composed of three parts:
1. the transport layer protocol provides server authentication, confidentiality and integrity, and provides a strong encryption technology, cryptographic host authentication and integrity protection. Authentication in the protocol is host-based, and the protocol does not perform user authentication;
2. the user authentication protocol is used to provide client user authentication functions to the server. Running on the transport layer protocol, a session identifier is received from the lower layer protocol, the session identifier uniquely identifying the session and being adapted to be signed to prove ownership of the private key.
3. The connection protocol divides the plurality of encrypted tunnels into logical channels. Running on the user authentication protocol, provides an interactive login session, remote command execution, forward TCP/IP connection, and forward X11 connection.
By not being able to decrypt the traffic when encrypting all the transmission data using SSH, "man-in-the-middle attack" can be prevented, and DNS spoofing and IP spoofing can also be prevented. In addition, compressed data is transmitted by using SSH, and the transmission speed is high.
The SSH protocol is a basic solution for Internet security, is widely applied at present, and becomes a standard configuration of a Linux system.
Due to the security mechanism of the SSH protocol, information of an attacker cannot be acquired, attack behaviors cannot be restored and evidence can be obtained, hidden malicious users cannot track the information, and huge hidden dangers and losses can be brought to all parties related to data.
Currently, the Linux system has a plurality of HOOK schemes from Ring3 to Ring0, the scheme of Ring3 includes HOOK so library files through an LD _ PRELOAD mechanism, target processes are dynamically injected through ptrace, PLT redirection HOOK and the like, and the scheme of Ring0 includes Inline HOOK, system call of sys _ call _ table HOOK and the like.
Disclosure of Invention
In order to solve the above technical problems, an object of the present invention is to provide a method for acquiring SSH encrypted content based on the HOOK technology, which searches HOOK points through tracking, debugging and analyzing an SSH server program and a database client program, acquires plaintext data after SSH communication decryption through all HOOK points, and finally analyzes the data to acquire SSH encrypted user operation command content;
another object of the present invention is to provide a system obtained by applying the method for acquiring SSH encrypted content based on the HOOK technology, wherein the system can acquire encrypted content of multiple clients.
The method for acquiring the SSH encrypted content based on the HOOK technology comprises the steps of analyzing an SSH server program, dynamically tracking an sshd process by using a stride, finding a HOOK point read function, finding that only part of data of a database cannot be captured, debugging the database client programs through a GDB, and finding new functions such as HOOK points fgets, fwrite and the like;
acquiring and recording the content decrypted by the SSH communication through all hook points, and then acquiring the SSH encrypted content through analyzing data; the method comprises the following specific steps:
1) after SSH session is successfully established, acquiring a process PID and current time for calling the corresponding function, finding a target process according to the process name acquired by the PID, and recording and writing information such as time for acquiring an SSH client command, an ASCII code character string and plaintext data into a cache file;
2) compiling the function codes into a dynamic library so file, writing the generated so file into an/etc/ld.so.cache file by utilizing a Linux preload mechanism (or the former is preferred), and capturing and caching data, wherein one new file is created when the file does not exist;
3) and analyzing the cache data by the custom analysis method to obtain SSH encrypted content, and restoring command content of SSH encrypted client operation.
The invention relates to a method for acquiring SSH encrypted content based on a HOOK technology, wherein HOOK points are functions of read, fgets, fwrite and the like of a libc library, and the self-defined analysis method comprises the following steps: reading the position information read by the last file, if the position information is updated, reading cache data acquired by hook from the last position, extracting information such as time information, an ASCII code character string and plaintext data, processing the plaintext data character string, determining key value information according to whether the character is a displayable character and a corresponding ASCII code, taking an enter key as an end characteristic of each complete command, analyzing some special keys, and finally restoring complete information.
The invention relates to a system for acquiring SSH encrypted content of multiple clients, which is applied to the method and comprises a front end part and a back end part;
a rear end portion: injecting the so library file into a process group related to each SSH session through a hook technology, caching the captured data, and controlling the deletion operation behavior of a user;
the back end part comprises a data capturing and caching module and a deleting operation control module;
data capture and cache module: acquiring and caching data information captured by time, PID, process name and the like, and recovering an original system calling process and a corresponding return value;
a deletion operation control module: managing the deletion operation behavior of the user through the authority according to the deletion operation control strategy;
front end part: the shell script is used for completing functions of starting, stopping, managing executable files and the like, and the executable binary file mainly completes functions of user information management, data analysis and restoration, command type identification, strategy receiving and processing, automatic garbage cleaning and the like;
the front end part comprises a log generation module, a process daemon and self-starting module, a receiving and processing module for analyzing strategies, a data analysis reduction and output module, a user information management module, a system and database command identification module, an output source control module, a scanning and recording login information module, an automatic garbage cleaning module and a receiving and processing module for deleting operation strategies;
a log generation module: a log file is generated through simple parameter input and is used for a user to check, the log file can also be transmitted to a specified database through a customized interface, and the log file is also transmitted to a special auditing platform and stored in any data source, so that the user can conveniently audit;
the process daemon and self-starting module comprises: the method supports a process daemon function, can be restarted when abnormal exit occurs, but operation information of a client is not lost during abnormal periods, supports startup self-starting, and starts to acquire information when the client is connected;
the receiving and processing module of the analysis strategy comprises: providing a strategy file function for receiving and processing the issued strategy file function whether to start the analysis function, and achieving the purpose of simultaneously controlling a plurality of servers by appointing the IP address of a target server;
the data analysis, reduction and output module: processing the information provided by the interaction module, processing the data cached at the back end, analyzing corresponding system commands and database command files according to PID information, respectively recording the currently read position information of each file, and outputting the reduced time and command information of the SSH client operation;
the user information management module: managing the current login user of the SSH client and the information after the user is switched, wherein the information comprises login time, an IP address and a Port of the SSH client, the IP address and the Port of a current server, user exit time and the like;
the system and database command identification module: according to the PID information identification system command and the database command, the specific database type is analyzed, and corresponding information is provided for other modules after identification;
an output source control module: receiving user login and exit information, receiving a restored and recognized system command and database command information, providing various output interfaces, storing the output interfaces into a file, and storing the file into a database or sending the file to other data processing platforms and the like;
a scanning and logging information module: scanning SSH sessions which are successfully connected and quitted in a current server in real time to obtain PID information, determining a target PID for other modules to use according to the association relationship of the multiple levels of PIDs, and then recording SSH client login information through a user information management module;
automatic rubbish clearance module: automatically cleaning junk files of the client by scanning and recording PID information of the logged-out SSH client provided by a login information module;
the receiving and processing module of the deletion operation strategy comprises: and receiving and processing the issued deletion operation strategy, and controlling whether to allow the deletion operation of the user or the backup before the deletion according to the strategy, so that the strategy forms such as files, folders and the like can be specified.
The system for acquiring the SSH encrypted content of the multiple clients can distinguish two different SSH client user behavior operation types according to the progress of the execution command: marking the operation behavior of the operating system as a system command, marking the operation behavior of the database as a database command, and identifying a specific database type; from the SSH session information, information such as: login user name, IP address, port number, login time, time and content of system command operation, time and command content of database operation, database type, user exit time and other information.
In the system for acquiring the SSH encrypted content of the multiple clients of the present invention, the receiving and processing module of the parsing policy further has the following functions: different servers are distinguished according to IP addresses, different SSH clients are distinguished according to the IP addresses and the PID, issuing policy control is supported, and a target server is designated through the IP addresses.
Compared with the prior art, the invention has the beneficial effects that:
1. the encryption content of SSH communication can be obtained, and the command executed by the SSH client side is restored;
2. by using the HOOK mode under Ring3, the kernel difference is not needed to be considered, the stability and the compatibility are strong, the starting and the running of other programs of the system are not influenced, the SSH service abnormity is not caused, the existing and newly-built SSH connection is basically not influenced, the obvious time delay and the pause are not generated, and the user basically has no perception;
3. system commands, database commands and specific database types can be distinguished accurately;
4. different servers are distinguished according to IP addresses, different SSH clients are distinguished according to the IP addresses and PID, and multiple target servers can be controlled in a targeted manner by issuing strategy configuration containing the IP addresses;
5. data operated by the SSH client during the session maintenance period is not lost or omitted;
6. user switching and rollback are supported, for example, root is switched to usr, and the root is rolled back from usr;
7. the protection capability of the system is enhanced, the dangerous operation of the SSH client user is effectively controlled through the strategy configuration, such as deleting important files, deleting a database, changing some important configurations and the like, or backing up files to be deleted and to be protected, so that the data can be conveniently recovered at the later stage.
Drawings
FIG. 1 is a flow diagram of finding a hook point where SSH encrypted content can be obtained;
FIG. 2 is a flowchart of a database client program (e.g., sql plus of oracle) that the GBD debug part cannot obtain SSH encrypted content, finding a new hook point;
fig. 3 is a flow diagram of the SSH server and database client programs invoking libc library functions after hook is enabled.
FIG. 4 is a diagram of an example of a system command to obtain data save at hook;
FIGS. 5 and 6 are diagrams of examples of database commands for obtaining data stores at hook;
fig. 7 and 8 are diagrams of two examples of commands for SSH client operations that are resolved and restored.
Detailed Description
The following detailed description of embodiments of the present invention is provided in connection with the accompanying drawings and examples. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.
As shown in fig. 1 to 8, in the method for obtaining SSH encrypted content based on the HOOK technology of the present invention, an SSH server program is analyzed, a stride is used to dynamically track sshd processes, a HOOK point read function is found, it is found that only part of the database data cannot be captured, and the GDB is used to debug these database client programs to find new functions such as HOOK points fgets and fwrite;
acquiring and recording the content decrypted by the SSH communication through all hook points, and then acquiring the SSH encrypted content through analyzing data; the method comprises the following specific steps:
1) after SSH session is successfully established, acquiring a process PID and current time for calling the corresponding function, finding a target process according to the process name acquired by the PID, and recording and writing information such as time for acquiring an SSH client command, an ASCII code character string and plaintext data into a cache file;
2) compiling the function codes into a dynamic library so file, writing the generated so file into an/etc/ld.so.cache file by utilizing a Linux preload mechanism (or the former is preferred), and capturing and caching data, wherein one new file is created when the file does not exist;
3) and analyzing the cache data by the custom analysis method to obtain SSH encrypted content, and restoring command content of SSH encrypted client operation.
The invention relates to a method for acquiring SSH encrypted content based on a HOOK technology, wherein HOOK points are functions of read, fgets, fwrite and the like of a libc library, and the self-defined analysis method comprises the following steps: reading the position information read by the last file, if the position information is updated, reading cache data acquired by hook from the last position, extracting time information, an ASCII code character string, plaintext data and other information, processing the plaintext data character string (processing blank space, carriage return and other information), determining key value information according to whether the character is a displayable character and a corresponding ASCII code, taking a carriage return key (ASCII corresponding to 0d or 0a) as an end characteristic of each complete command, analyzing some special keys (such as blank space, Enter, Backspace, cursor key and the like), and finally restoring complete information.
The invention relates to a system for acquiring SSH encrypted content of multiple clients, which is applied to the method and comprises a front end part and a back end part;
a rear end portion: injecting the so library file into a process group related to each SSH session through a hook technology, caching the captured data, and controlling the deletion operation behavior of a user;
the back end part comprises a data capturing and caching module and a deleting operation control module;
data capture and cache module: acquiring and caching data information captured by time, PID, process name and the like, and recovering an original system calling process and a corresponding return value;
a deletion operation control module: managing the deletion operation behavior of the user through the authority according to the deletion operation control strategy;
front end part: the shell script is used for completing functions of starting, stopping, managing executable files and the like, and the executable binary file mainly completes functions of user information management, data analysis and restoration, command type identification, strategy receiving and processing, automatic garbage cleaning and the like;
the front end part comprises a log generation module, a process daemon and self-starting module, a receiving and processing module for analyzing strategies, a data analysis reduction and output module, a user information management module, a system and database command identification module, an output source control module, a scanning and recording login information module, an automatic garbage cleaning module and a receiving and processing module for deleting operation strategies;
a log generation module: a log file is generated through simple parameter input and is used for a user to check, the log file can also be transmitted to a specified database through a customized interface, and the log file is also transmitted to a special auditing platform and stored in any data source, so that the user can conveniently audit;
the process daemon and self-starting module comprises: the method supports a process daemon function, can be restarted when abnormal exit occurs, but operation information of a client is not lost during abnormal periods, supports startup self-starting, and starts to acquire information when the client is connected;
the receiving and processing module of the analysis strategy comprises: providing a strategy file function for receiving and processing the issued strategy file function whether to start the analysis function, and achieving the purpose of simultaneously controlling a plurality of servers by appointing the IP address of a target server;
the data analysis, reduction and output module: processing the information provided by the interaction module, processing the data cached at the back end, analyzing corresponding system commands and database command files according to PID information, respectively recording the currently read position information of each file, and outputting the reduced time and command information of the SSH client operation;
the user information management module: managing the current login user of the SSH client and the information after the user is switched, wherein the information comprises login time, an IP address and a Port of the SSH client, the IP address and the Port of a current server, user exit time and the like;
the system and database command identification module: according to the PID information identification system command and the database command, the specific database type is analyzed, and corresponding information is provided for other modules after identification;
an output source control module: receiving user login and exit information, receiving a restored and recognized system command and database command information, providing various output interfaces, storing the output interfaces into a file, and storing the file into a database or sending the file to other data processing platforms and the like;
a scanning and logging information module: scanning SSH sessions which are successfully connected and quitted in a current server in real time to obtain PID information, determining a target PID for other modules to use according to the association relationship of the multiple levels of PIDs, and then recording SSH client login information through a user information management module;
automatic rubbish clearance module: automatically cleaning junk files of the client by scanning and recording PID information of the logged-out SSH client provided by a login information module;
the receiving and processing module of the deletion operation strategy comprises: and receiving and processing the issued deletion operation strategy, and controlling whether to allow the deletion operation of the user or the backup before the deletion according to the strategy, so that the strategy forms such as files, folders and the like can be specified.
The system for acquiring the SSH encrypted content of the multiple clients can distinguish two different SSH client user behavior operation types according to the progress of the execution command: marking the operation behavior of the operating system as a system command, marking the operation behavior of the database as a database command, and identifying a specific database type; from the SSH session information, information such as: login user name, IP address, port number, login time, time and content of system command operation, time and command content of database operation, database type, user exit time and other information.
In the system for acquiring the SSH encrypted content of the multiple clients of the present invention, the receiving and processing module of the parsing policy further has the following functions: different servers are distinguished according to IP addresses, different SSH clients are distinguished according to the IP addresses and the PID, issuing policy control is supported, and a target server is designated through the IP addresses.
Example 1:
the invention relates to a method for obtaining SSH encrypted content based on HOOK technology, the principle and the method of the method comprise but are not limited to using/etc/ld.so.preload file mode, the system which is applicable to the principle and the method comprises but is not limited to Linux system, and the method can also be popularized and applied to Windows system and mac os system;
as shown in fig. 1 to 8, the present invention provides a method for acquiring SSH encrypted content based on a HOOK technology, in order to solve the problem that an SSH protocol cannot acquire communication content by decrypting communication traffic and cannot supervise the deletion and emptying of some important files or disks in violation; analyzing an SSH server program, using a strace to dynamically track an sshd process, finding a hook point, testing the hook point to find that only part of database data cannot be captured, debugging the database client program through a GDB, searching the hook point, acquiring SSH encrypted content through the hook point, caching data, and analyzing the data to restore an SSH encrypted client user operation command;
after the stride dynamically tracks the sshd process, the searched hook point is a read function, as shown in fig. 1, the hook read logic is compiled into so files, and the so files are written into/etc/ld.so.preload files, and whether plaintext data are acquired or not is analyzed;
as shown in fig. 2, when plaintext data cannot be obtained, a related program is debugged to find a new hook point;
as shown in fig. 3, when the hook function is turned on, the SSH server program and the database client program call libc library functions.
Example 2:
the system for acquiring the SSH encrypted content of the multiple clients has the following characteristics: supporting whether to start a forensic issuing strategy; multiple Linux servers and multiple clients can be subjected to batch forensics at the same time, and the Linux servers and the clients can be accurately distinguished without influencing each other during forensics; whether a client operates a system command (such as ls, ifconfig and the like) or a database command (such as use, select statements and the like) can be accurately distinguished, and the specific database type is also distinguished; the operation command of the client side encrypted by the SSH is restored through the cache data and the analytic logic; acquiring the connection condition of an SSH client in real time, recording the exit time and deleting cache files and junk files related to the client once the exit of the SSH client is found; the log recording function is supported, and the operation records are convenient to view; operation history files saved by the current user and the like can also be obtained;
the working process is as follows: after the user successfully logs in the Linux system Server through SSH client software, the client information is recorded and cached as a self-defined info file, after the client user executes the command, various system commands (such as ls, ifconfig and the like) of operation and login and business operations (such as use, select and the like) of various databases are recorded and cached as an idata file, and when the client logs out, time is recorded and cached as an exit file.
1. When the function of obtaining evidence is started
The acquired information comprises login user names, SSH client IP addresses, SSH client ports, SSH server IP addresses, SSH server ports, login time, exit time, system operation time, ASCII (American standard code for information interchange) codes and commands, switched user names, database login time, database service operation time, ASCII (American standard code for information interchange) information and plaintext data;
2. when the evidence obtaining function is not started
And only obtaining the information of all current login clients, including login user names, SSH client IP addresses, SSH client ports, SSH server IP addresses, SSH server ports, login time and exit time.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.
Claims (5)
1. The method for obtaining the SSH encrypted content based on the HOOK technology is characterized in that an SSH server program is analyzed, a stride dynamic tracking sshd process is used, a HOOK point read function is found, only partial data of a database cannot be captured, and the GDB is used for debugging the database client programs to find new functions such as HOOK points fgets and fwrite;
acquiring and recording the content decrypted by the SSH communication through all hook points, and then acquiring the SSH encrypted content through analyzing data; the method comprises the following specific steps:
1) after SSH session is successfully established, acquiring a process PID and current time for calling the corresponding function, finding a target process according to the process name acquired by the PID, and recording and writing information such as time for acquiring an SSH client command, an ASCII code character string and plaintext data into a cache file;
2) compiling the function codes into a dynamic library so file, writing the generated so file into an/etc/ld.so.cache file by utilizing a Linux preload mechanism (or the former is preferred), and capturing and caching data, wherein one new file is created when the file does not exist;
3) and analyzing the cache data by the custom analysis method to obtain SSH encrypted content, and restoring command content of SSH encrypted client operation.
2. The method for obtaining SSH encrypted content based on HOOK technology as claimed in claim 1, wherein the HOOK point is the functions of read, fgets, fwrite, etc. of libc library, and the customized parsing method is: reading the position information read by the last file, if the position information is updated, reading cache data acquired by hook from the last position, extracting information such as time information, an ASCII code character string and plaintext data, processing the plaintext data character string, determining key value information according to whether the character is a displayable character and a corresponding ASCII code, taking an enter key as an end characteristic of each complete command, analyzing some special keys, and finally restoring complete information.
3. A system for obtaining multi-client SSH encrypted content, characterized in that the method of claims 1-2 is applied, the system comprising a front-end part and a back-end part;
a rear end portion: injecting the so library file into a process group related to each SSH session through a hook technology, caching the captured data, and controlling the deletion operation behavior of a user;
the back end part comprises a data capturing and caching module and a deleting operation control module;
data capture and cache module: acquiring and caching data information captured by time, PID, process name and the like, and recovering an original system calling process and a corresponding return value;
a deletion operation control module: managing the deletion operation behavior of the user through the authority according to the deletion operation control strategy;
front end part: the shell script is used for completing functions of starting, stopping, managing executable files and the like, and the executable binary file mainly completes functions of user information management, data analysis and restoration, command type identification, strategy receiving and processing, automatic garbage cleaning and the like;
the front end part comprises a log generation module, a process daemon and self-starting module, a receiving and processing module for analyzing strategies, a data analysis reduction and output module, a user information management module, a system and database command identification module, an output source control module, a scanning and recording login information module, an automatic garbage cleaning module and a receiving and processing module for deleting operation strategies;
a log generation module: a log file is generated through simple parameter input and is used for a user to check, the log file can also be transmitted to a specified database through a customized interface, and the log file is also transmitted to a special auditing platform and stored in any data source, so that the user can conveniently audit;
the process daemon and self-starting module comprises: the method supports a process daemon function, can be restarted when abnormal exit occurs, but operation information of a client is not lost during abnormal periods, supports startup self-starting, and starts to acquire information when the client is connected;
the receiving and processing module of the analysis strategy comprises: providing a strategy file function for receiving and processing the issued strategy file function whether to start the analysis function, and achieving the purpose of simultaneously controlling a plurality of servers by appointing the IP address of a target server;
the data analysis, reduction and output module: processing the information provided by the interaction module, processing the data cached at the back end, analyzing corresponding system commands and database command files according to PID information, respectively recording the currently read position information of each file, and outputting the reduced time and command information of the SSH client operation;
the user information management module: managing the current login user of the SSH client and the information after the user is switched, wherein the information comprises login time, an IP address and a Port of the SSH client, the IP address and the Port of a current server, user exit time and the like;
the system and database command identification module: according to the PID information identification system command and the database command, the specific database type is analyzed, and corresponding information is provided for other modules after identification;
an output source control module: receiving user login and exit information, receiving a restored and recognized system command and database command information, providing various output interfaces, storing the output interfaces into a file, and storing the file into a database or sending the file to other data processing platforms and the like;
a scanning and logging information module: scanning SSH sessions which are successfully connected and quitted in a current server in real time to obtain PID information, determining a target PID for other modules to use according to the association relationship of the multiple levels of PIDs, and then recording SSH client login information through a user information management module;
automatic rubbish clearance module: automatically cleaning junk files of the client by scanning and recording PID information of the logged-out SSH client provided by a login information module;
the receiving and processing module of the deletion operation strategy comprises: and receiving and processing the issued deletion operation strategy, and controlling whether to allow the deletion operation of the user or the backup before the deletion according to the strategy, so that the strategy forms such as files, folders and the like can be specified.
4. The system of claim 3, wherein two different types of SSH client user behavior operations can be distinguished based on the process of executing the command: marking the operation behavior of the operating system as a system command, marking the operation behavior of the database as a database command, and identifying a specific database type; from the SSH session information, information such as: login user name, IP address, port number, login time, time and content of system command operation, time and command content of database operation, database type, user exit time and other information.
5. The system of claim 3, wherein the receiving and processing module of the resolution policy further functions to: different servers are distinguished according to IP addresses, different SSH clients are distinguished according to the IP addresses and the PID, issuing policy control is supported, and a target server is designated through the IP addresses.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110160507.3A CN112926050B (en) | 2021-02-05 | 2021-02-05 | Method for obtaining SSH encrypted content based on HOOK technology and application thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110160507.3A CN112926050B (en) | 2021-02-05 | 2021-02-05 | Method for obtaining SSH encrypted content based on HOOK technology and application thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112926050A true CN112926050A (en) | 2021-06-08 |
| CN112926050B CN112926050B (en) | 2024-02-09 |
Family
ID=76170744
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110160507.3A Active CN112926050B (en) | 2021-02-05 | 2021-02-05 | Method for obtaining SSH encrypted content based on HOOK technology and application thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112926050B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113810431A (en) * | 2021-11-19 | 2021-12-17 | 北京云星宇交通科技股份有限公司 | Method and system for traffic Internet of things terminal security detection based on Hook |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140317409A1 (en) * | 2011-07-08 | 2014-10-23 | Venafi, Inc. | System for managing cryptographic keys and trust relationships in a secure shell (ssh) environment |
| WO2016082371A1 (en) * | 2014-11-25 | 2016-06-02 | 中国科学院声学研究所 | Ssh protocol-based session parsing method and system |
| US20160294649A1 (en) * | 2015-04-03 | 2016-10-06 | Oracle International Corporation | Method and system for implementing target model configuration metadata for a log analytics system |
| CN107577468A (en) * | 2017-07-25 | 2018-01-12 | 郑州云海信息技术有限公司 | A kind of distance host login method and system with draw-bar box |
| CN108243187A (en) * | 2017-12-29 | 2018-07-03 | 亿阳安全技术有限公司 | A kind of automatic encryption method, system and service module based on SSH tunnels |
| CN108809964A (en) * | 2018-05-25 | 2018-11-13 | 浙江齐治科技股份有限公司 | A kind of resource access control method and device |
| US10333977B1 (en) * | 2018-08-23 | 2019-06-25 | Illusive Networks Ltd. | Deceiving an attacker who is harvesting credentials |
| CN113660292A (en) * | 2021-10-19 | 2021-11-16 | 北京安华金和科技有限公司 | Method and device for acquiring information of calling client main body |
| CN114462038A (en) * | 2021-12-31 | 2022-05-10 | 北京亿赛通科技发展有限责任公司 | Security protection method, device, equipment and computer readable storage medium |
-
2021
- 2021-02-05 CN CN202110160507.3A patent/CN112926050B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140317409A1 (en) * | 2011-07-08 | 2014-10-23 | Venafi, Inc. | System for managing cryptographic keys and trust relationships in a secure shell (ssh) environment |
| WO2016082371A1 (en) * | 2014-11-25 | 2016-06-02 | 中国科学院声学研究所 | Ssh protocol-based session parsing method and system |
| US20160294649A1 (en) * | 2015-04-03 | 2016-10-06 | Oracle International Corporation | Method and system for implementing target model configuration metadata for a log analytics system |
| CN107577468A (en) * | 2017-07-25 | 2018-01-12 | 郑州云海信息技术有限公司 | A kind of distance host login method and system with draw-bar box |
| CN108243187A (en) * | 2017-12-29 | 2018-07-03 | 亿阳安全技术有限公司 | A kind of automatic encryption method, system and service module based on SSH tunnels |
| CN108809964A (en) * | 2018-05-25 | 2018-11-13 | 浙江齐治科技股份有限公司 | A kind of resource access control method and device |
| US10333977B1 (en) * | 2018-08-23 | 2019-06-25 | Illusive Networks Ltd. | Deceiving an attacker who is harvesting credentials |
| CN113660292A (en) * | 2021-10-19 | 2021-11-16 | 北京安华金和科技有限公司 | Method and device for acquiring information of calling client main body |
| CN114462038A (en) * | 2021-12-31 | 2022-05-10 | 北京亿赛通科技发展有限责任公司 | Security protection method, device, equipment and computer readable storage medium |
Non-Patent Citations (8)
| Title |
|---|
| AERROR: "关于Hook unistd中open, read, write, close的一些技巧", Retrieved from the Internet <URL:https://blog.csdn.net/aerror/article/details/106076941> * |
| HAWARDSCUT: "基于frida的so函数hook实战", Retrieved from the Internet <URL:https://blog.csdn.net/hao5335156/article/details/113475875> * |
| HIROFUMI TSURUTA等: "2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC)", 《2020 IEEE 44TH ANNUAL COMPUTERS, SOFTWARE, AND APPLICATIONS CONFERENCE (COMPSAC)》, pages 171 - 1766 * |
| 尼见: "安卓平台下面向隐私保护的恶意程序分析与检测方法研究", 《中国优秀硕士学位论文全文数据库》, pages 138 - 92 * |
| 崔晶等: "基于红蓝对抗的拟态防御体系构建", 《电信工程技术与标准化》, vol. 34, no. 12, pages 34 - 39 * |
| 朱贺军等: "Twitter加密网络行为自动识别方法", 《计算机工程》, vol. 41, no. 12, pages 166 - 170 * |
| 秦中元等: "基于Inject和Hook的安卓终端管控技术", 《信息网络安全》, no. 09, pages 66 - 73 * |
| 赵跃华等: "一种负荷可调节的运动追踪系统设计", 《信息技术》, no. 2, pages 177 - 181 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113810431A (en) * | 2021-11-19 | 2021-12-17 | 北京云星宇交通科技股份有限公司 | Method and system for traffic Internet of things terminal security detection based on Hook |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112926050B (en) | 2024-02-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20090282036A1 (en) | Method and apparatus for dump and log anonymization (dala) | |
| US8615159B2 (en) | Methods and systems for cataloging text in a recorded session | |
| CN104937605A (en) | Attack analysis system, coordination device, attack analysis coordination method, and program | |
| Casey et al. | Malware forensics field guide for Linux systems: digital forensics field guides | |
| CN101051904A (en) | Method for landing by account number cipher for protecting network application sequence | |
| CN105827574A (en) | File access system, file access method and file access device | |
| CN110138731B (en) | Network anti-attack method based on big data | |
| CN114207615A (en) | System and method for maintaining an immutable data access log with privacy | |
| Zhu et al. | General, efficient, and real-time data compaction strategy for APT forensic analysis | |
| CN111800405A (en) | Detection method, detection device and storage medium | |
| JP5478390B2 (en) | Log extraction system and program | |
| CN111800295A (en) | Server audit management method, device and system | |
| Cankaya et al. | A survey of digital forensics tools for database extraction | |
| CN112926050B (en) | Method for obtaining SSH encrypted content based on HOOK technology and application thereof | |
| Shaaban et al. | Practical windows forensics | |
| CN102035847A (en) | User access behavior processing method and system and client | |
| US11909859B2 (en) | Removing access to blockchain data | |
| CN112003847B (en) | Front-end authority access method and device | |
| Eterovic‐Soric et al. | Windows 7 antiforensics: a review and a novel approach | |
| Grance et al. | Guide to computer and network data analysis: Applying forensic techniques to incident response | |
| Zadereyko et al. | Algorithm of user’s personal data protection against data leaks in Windows 10 OS | |
| US20220150241A1 (en) | Permissions for backup-related operations | |
| JP2007200047A (en) | Access log-displaying system and method | |
| CN108833525B (en) | Fiddler-based HTTPS flow content auditing method | |
| Goel et al. | Reconstructing system state for intrusion analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |