CN112926050B - Method for obtaining SSH encrypted content based on HOOK technology and application thereof - Google Patents
Method for obtaining SSH encrypted content based on HOOK technology and application thereof Download PDFInfo
- Publication number
- CN112926050B CN112926050B CN202110160507.3A CN202110160507A CN112926050B CN 112926050 B CN112926050 B CN 112926050B CN 202110160507 A CN202110160507 A CN 202110160507A CN 112926050 B CN112926050 B CN 112926050B
- Authority
- CN
- China
- Prior art keywords
- information
- ssh
- module
- data
- command
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 68
- 238000005516 engineering process Methods 0.000 title claims abstract description 15
- 230000008569 process Effects 0.000 claims abstract description 37
- 238000004891 communication Methods 0.000 claims abstract description 9
- 238000012545 processing Methods 0.000 claims description 37
- 238000004458 analytical method Methods 0.000 claims description 18
- 230000006399 behavior Effects 0.000 claims description 16
- 238000004140 cleaning Methods 0.000 claims description 12
- 238000012217 deletion Methods 0.000 claims description 12
- 230000037430 deletion Effects 0.000 claims description 12
- 238000007726 management method Methods 0.000 claims description 12
- 238000007405 data analysis Methods 0.000 claims description 9
- 238000013486 operation strategy Methods 0.000 claims description 9
- 230000036316 preload Effects 0.000 claims description 9
- 230000009467 reduction Effects 0.000 claims description 6
- 230000007246 mechanism Effects 0.000 claims description 5
- 230000002159 abnormal effect Effects 0.000 claims description 3
- 238000012550 audit Methods 0.000 claims description 3
- 238000011217 control strategy Methods 0.000 claims description 3
- 238000013481 data capture Methods 0.000 claims description 3
- 230000003993 interaction Effects 0.000 claims description 3
- 101150093240 Brd2 gene Proteins 0.000 description 3
- 208000032826 Ring chromosome 3 syndrome Diseases 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 239000003637 basic solution Substances 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/362—Software debugging
- G06F11/3636—Software debugging by tracing the execution of the program
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- Quality & Reliability (AREA)
- Computing Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention relates to the technical field of network security, in particular to a method for acquiring SSH encrypted content based on a HOOK technology, which comprises the steps of searching HOOK points by tracking, debugging and analyzing an SSH server program and a database client program, acquiring plaintext data after SSH communication decryption through all the HOOK points, and finally analyzing the data to acquire SSH encrypted user operation command content; analyzing SSH server programs, dynamically tracking sshd processes by using a space, finding out hook point read functions, finding out that only partial database data cannot be captured, debugging the database client programs through GDB, and finding out new functions of hook points fgets, fwrite and the like; and acquiring and recording the decrypted content of the SSH communication through all hook points, and then acquiring the encrypted content of the SSH through analyzing the data.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method for acquiring SSH encrypted content based on a HOOK technology.
Background
SSH is mainly composed of three parts:
1. the transport layer protocol provides server authentication, confidentiality and integrity, and provides powerful encryption techniques, cryptographic host authentication and integrity protection. Authentication in the protocol is based on the host, and the protocol does not perform user authentication;
2. the user authentication protocol is used to provide client user authentication functionality to the server. Run on the transport layer protocol, receive a session identifier from the lower layer protocol, the session identifier uniquely identifying the session and being adapted to be signed to prove ownership of the private key.
3. The connection protocol divides the plurality of encrypted tunnels into logical channels. Run on a user authentication protocol, providing interactive login session, remote command execution, forwarding TCP/IP connections, and forwarding X11 connections.
By not decrypting the traffic when using SSH to encrypt all transmitted data, a "man-in-the-middle attack" can be prevented, as well as DNS spoofing and IP spoofing. Furthermore, the compressed data is transmitted by using the SSH, and the transmission speed is very high.
The SSH protocol is a basic solution for internet security, is widely applied at present, and has become the standard of a Linux system.
Because of the security mechanism of the SSH protocol, the information of an attacker cannot be acquired, the attack behavior cannot be restored to evidence, the hidden malicious user cannot track, and huge hidden danger and loss can be brought to each party associated with data.
There are various HOOK schemes from Ring3 to Ring0 in the current Linux system, the scheme of Ring3 is a HOOK library file by an LD_PRELOAD mechanism, a target process is dynamically injected by ptrace, PLT redirection HOOK and the like, the scheme of Ring0 is an Inline HOOK, and the like.
Disclosure of Invention
In order to solve the technical problems, an object of the present invention is to provide a method for obtaining SSH encrypted content based on HOOK technology, by tracking, debugging and analyzing SSH server program and database client program to find HOOK points, obtaining plaintext data after SSH communication decryption through all the HOOK points, and finally analyzing the data to obtain SSH encrypted user operation command content;
it is another object of the present invention to provide a system obtained by applying a method for acquiring SSH encrypted content based on a HOOK technique, which can acquire encrypted content of multiple clients.
According to the method for acquiring the SSH encrypted content based on the HOOK technology, an SSH server program is analyzed, a space is used for dynamically tracking the sshd process, a HOOK point read function is found, only partial database data can not be captured, the database client programs are debugged through a GDB, and new functions such as HOOK points fgets, fwrite and the like are found;
acquiring and recording SSH communication decrypted content through all hook points, and then acquiring SSH encrypted content through analyzing data; the method comprises the following steps:
1) Obtaining a process PID and current time for calling a corresponding function after successful SSH session establishment of functions such as read, fgets, fwrite of a hook libc library, obtaining a process name according to the PID to find a target process, recording the time for obtaining an SSH client command, ASCII code character strings, plaintext data and other information, and writing the information into a cache file;
2) Compiling the functional codes into a dynamic library so file, writing the generated so file into a/etc/ld.so.preload (or/etc/ld.so.cache file with priority) file by using a Linux preload mechanism (newly created when the function codes do not exist), and capturing and caching data;
3) And the self-defined analysis method analyzes the cached data to obtain SSH encrypted content, and restores the command content of the SSH encrypted client operation.
The method for acquiring SSH encrypted content based on the HOOK technology provided by the invention has the advantages that the HOOK point is a function of read, fgets, fwrite and the like of a libc library, and the self-defined analysis method is as follows: and if the position information read by the last file is updated, reading the cache data obtained from the last position, extracting time information, ASCII code character strings, plaintext data and other information, firstly processing the plaintext data character strings, determining key value information according to whether the characters are displayable or not and corresponding ASCII codes, then taking each complete command as a characteristic with an enter key as a finish, analyzing some special keys, and finally restoring the complete information.
The invention relates to a system for acquiring SSH encrypted content of multiple clients, which comprises a front end part and a back end part by applying the method;
rear end portion: injecting a so library file into each SSH session related process group through a hook technology, caching the captured data, and controlling a user to delete operation behaviors;
the rear end part comprises a data capturing and caching module and a deleting operation control module;
data capture and caching module: acquiring and caching the captured data information such as time, PID, process name and the like, and recovering the original system calling process and the corresponding return value;
a deletion operation control module: managing the deleting operation behavior of the user through the authority according to the deleting operation control strategy;
front end portion: the shell script is used for completing the functions of starting, stopping, managing executable files and the like, and the executable binary files mainly complete the functions of user information management, data analysis and restoration, command type identification, strategy receiving and processing, automatic garbage cleaning and the like;
the front end part comprises a log generating module, a process daemon and self-starting module, a receiving and processing module of an analysis strategy, a data analysis and reduction and output module, a user information management module, a system and database command identification module, an output source control module, a scanning and logging information recording module, an automatic garbage cleaning module and a receiving and processing module of a deleting operation strategy;
and a log generation module: generating a log file for a user to check through simple parameter input, transmitting the log file to a designated database through a custom interface, and transmitting the log file to a special audit platform to be stored in any data source, so that the log file is convenient for the user to check;
process daemon and self-starting module: supporting a process daemon function, restarting when the client is abnormally exited, but not losing the operation information of the client during the abnormal period, supporting starting up self-starting, and starting to acquire information when the client is connected;
and a receiving and processing module of the analysis strategy: the method comprises the steps of providing a strategy file function of receiving and processing whether to start an analysis function or not, and achieving the purpose of simultaneously controlling a plurality of servers by designating an IP address of a target server;
and the data analysis, reduction and output module: processing information provided by the interaction module, processing data cached at the back end, analyzing corresponding system command and database command files according to PID information, respectively recording the current read position information of each file, and outputting the time and command information of the restored SSH client operation;
and the user information management module: managing information of a current login user of the SSH client and after user switching, wherein the information comprises login time, an IP address and a Port of the SSH client, an IP address and a Port of a current server, user exit time and the like;
system and database command identification module: identifying a system command and a database command according to the PID information, analyzing the specific database type, and providing corresponding information for other modules after identification;
an output source control module: receiving user login and exit information, receiving restored and identified system command and database command information, then providing various output interfaces, and storing the information into a file, storing the file into a database or sending the file to other data processing platforms and the like;
scanning and recording login information module: scanning SSH session which is successfully connected and exited in the current server in real time, acquiring PID information, determining a target PID for other modules to use according to the multi-level PID association relation, and then recording SSH client login information through a user information management module;
automatic garbage cleaning module: the method comprises the steps of providing PID information of an exiting SSH client through a scanning and logging information module, and automatically cleaning junk files of the client;
the receiving and processing module of the deleting operation strategy: and receiving and processing the issued deletion operation strategy, and controlling whether to allow the deletion operation of a user or backup before deletion according to the strategy, so that the strategy forms such as files, folders and the like can be supported.
According to the system for acquiring the SSH encrypted content of the multiple clients, two different SSH client user behavior operation types can be distinguished according to the process of executing the command: marking the operation behavior of the operation system as a system command, marking the operation behavior of the database as a database command, and identifying the type of the specific database; from SSH session information, it is possible to obtain such as: information such as login user name, IP address, port number, login time, time and content of system command operation, time and command content of database operation, database type, user exit time, etc.
The system for acquiring the SSH encrypted content of the multiple clients, disclosed by the invention, has the following functions that the receiving and processing module of the analysis strategy is provided with: different servers are distinguished according to the IP address, different SSH clients are distinguished according to the IP address and the PID, the control of the issuing strategy is supported, and the target server is designated through the IP address.
Compared with the prior art, the invention has the beneficial effects that:
1. the encrypted content of the SSH communication can be obtained, and the command executed by the SSH client can be restored;
2. the HOOK mode under Ring3 is used, kernel difference is not needed to be considered, stability and compatibility are strong, starting and running of other programs of the system are not affected, SSH service abnormality is not caused, existing and newly-built SSH connection is basically not affected, obvious delay and blocking are not caused, and a user basically does not feel;
3. the system command and the database command can be accurately distinguished, and the specific database type can be accurately distinguished;
4. different servers are distinguished according to the IP address, different SSH clients are distinguished according to the IP address and the PID, and a plurality of target servers can be controlled in a targeted manner by issuing strategy configuration containing the IP address;
5. data operated by the SSH client during session hold is not lost or missed;
6. supporting user switching and rollback, such as switching a root to a usr, and rollback from the usr to the root;
7. the protection capability of the system is enhanced, dangerous operations of SSH client users, such as deleting important files, deleting databases, changing some important configurations and the like, or backing up files to be deleted and to be protected, are effectively controlled through strategy configuration, and the later recovery of data is facilitated.
Drawings
FIG. 1 is a flow chart for finding hook points from which SSH encrypted content can be obtained;
FIG. 2 is a flow chart of a database client program (e.g., oracle's sqlplus, etc.) that the GBD debug segment cannot obtain SSH encrypted content, looking for new hook points;
FIG. 3 is a flow chart of the SSH server and database client program invoking libc library functions after hook is enabled.
FIG. 4 is a diagram of an example system command for acquiring data save at the time of hook;
FIGS. 5 and 6 are diagrams of examples of database commands for acquiring data for saving in a hook;
fig. 7 and 8 are diagrams of two command examples of the operation of the SSH client after parsing.
Detailed Description
The following describes in further detail the embodiments of the present invention with reference to the drawings and examples. The following examples are illustrative of the invention and are not intended to limit the scope of the invention.
As shown in fig. 1 to 8, the method for acquiring SSH encrypted content based on the HOOK technology of the present invention analyzes SSH server programs, dynamically tracks sshd processes using a space, finds out HOOK point read functions, finds out that only partial database data cannot be captured, debugs these database client programs by GDB, and finds out new HOOK point fgets, fwrite and other functions;
acquiring and recording SSH communication decrypted content through all hook points, and then acquiring SSH encrypted content through analyzing data; the method comprises the following steps:
1) Obtaining a process PID and current time for calling a corresponding function after successful SSH session establishment of functions such as read, fgets, fwrite of a hook libc library, obtaining a process name according to the PID to find a target process, recording the time for obtaining an SSH client command, ASCII code character strings, plaintext data and other information, and writing the information into a cache file;
2) Compiling the functional codes into a dynamic library so file, writing the generated so file into a/etc/ld.so.preload (or/etc/ld.so.cache file with priority) file by using a Linux preload mechanism (newly created when the function codes do not exist), and capturing and caching data;
3) And the self-defined analysis method analyzes the cached data to obtain SSH encrypted content, and restores the command content of the SSH encrypted client operation.
The method for acquiring SSH encrypted content based on the HOOK technology provided by the invention has the advantages that the HOOK point is a function of read, fgets, fwrite and the like of a libc library, and the self-defined analysis method is as follows: reading the position information read by the last file, if the position information is updated, reading the cache data obtained by the hook after the last position, extracting time information, information such as ASCII code character strings, plaintext data and the like, firstly processing the plaintext data character strings (processing blank, carriage return and the like), determining key value information according to whether the characters are displayable or not and corresponding ASCII codes, then taking a carriage return key (corresponding to ASCII with 0d or 0 a) as a finish of each complete command as a characteristic, analyzing some special keys (such as blank, enter, backspace, cursor keys and the like), and finally restoring the complete information.
The invention relates to a system for acquiring SSH encrypted content of multiple clients, which comprises a front end part and a back end part by applying the method;
rear end portion: injecting a so library file into each SSH session related process group through a hook technology, caching the captured data, and controlling a user to delete operation behaviors;
the rear end part comprises a data capturing and caching module and a deleting operation control module;
data capture and caching module: acquiring and caching the captured data information such as time, PID, process name and the like, and recovering the original system calling process and the corresponding return value;
a deletion operation control module: managing the deleting operation behavior of the user through the authority according to the deleting operation control strategy;
front end portion: the shell script is used for completing the functions of starting, stopping, managing executable files and the like, and the executable binary files mainly complete the functions of user information management, data analysis and restoration, command type identification, strategy receiving and processing, automatic garbage cleaning and the like;
the front end part comprises a log generating module, a process daemon and self-starting module, a receiving and processing module of an analysis strategy, a data analysis and reduction and output module, a user information management module, a system and database command identification module, an output source control module, a scanning and logging information recording module, an automatic garbage cleaning module and a receiving and processing module of a deleting operation strategy;
and a log generation module: generating a log file for a user to check through simple parameter input, transmitting the log file to a designated database through a custom interface, and transmitting the log file to a special audit platform to be stored in any data source, so that the log file is convenient for the user to check;
process daemon and self-starting module: supporting a process daemon function, restarting when the client is abnormally exited, but not losing the operation information of the client during the abnormal period, supporting starting up self-starting, and starting to acquire information when the client is connected;
and a receiving and processing module of the analysis strategy: the method comprises the steps of providing a strategy file function of receiving and processing whether to start an analysis function or not, and achieving the purpose of simultaneously controlling a plurality of servers by designating an IP address of a target server;
and the data analysis, reduction and output module: processing information provided by the interaction module, processing data cached at the back end, analyzing corresponding system command and database command files according to PID information, respectively recording the current read position information of each file, and outputting the time and command information of the restored SSH client operation;
and the user information management module: managing information of a current login user of the SSH client and after user switching, wherein the information comprises login time, an IP address and a Port of the SSH client, an IP address and a Port of a current server, user exit time and the like;
system and database command identification module: identifying a system command and a database command according to the PID information, analyzing the specific database type, and providing corresponding information for other modules after identification;
an output source control module: receiving user login and exit information, receiving restored and identified system command and database command information, then providing various output interfaces, and storing the information into a file, storing the file into a database or sending the file to other data processing platforms and the like;
scanning and recording login information module: scanning SSH session which is successfully connected and exited in the current server in real time, acquiring PID information, determining a target PID for other modules to use according to the multi-level PID association relation, and then recording SSH client login information through a user information management module;
automatic garbage cleaning module: the method comprises the steps of providing PID information of an exiting SSH client through a scanning and logging information module, and automatically cleaning junk files of the client;
the receiving and processing module of the deleting operation strategy: and receiving and processing the issued deletion operation strategy, and controlling whether to allow the deletion operation of a user or backup before deletion according to the strategy, so that the strategy forms such as files, folders and the like can be supported.
According to the system for acquiring the SSH encrypted content of the multiple clients, two different SSH client user behavior operation types can be distinguished according to the process of executing the command: marking the operation behavior of the operation system as a system command, marking the operation behavior of the database as a database command, and identifying the type of the specific database; from SSH session information, it is possible to obtain such as: information such as login user name, IP address, port number, login time, time and content of system command operation, time and command content of database operation, database type, user exit time, etc.
The system for acquiring the SSH encrypted content of the multiple clients, disclosed by the invention, has the following functions that the receiving and processing module of the analysis strategy is provided with: different servers are distinguished according to the IP address, different SSH clients are distinguished according to the IP address and the PID, the control of the issuing strategy is supported, and the target server is designated through the IP address.
Example 1:
the method for acquiring SSH encrypted content based on HOOK technology includes the principle and method including but not limited to using/etc/ld.so.preload file mode, and the system suitable for the principle and method includes but not limited to Linux system, and may be popularized and applied to Windows system and mac os system;
as shown in fig. 1 to 8, the invention provides a method for obtaining SSH encrypted content based on a HOOK technology, in order to solve the problems that the SSH protocol cannot obtain the communication content by decrypting communication traffic and cannot monitor that some important files or disks are deleted illegally, emptied and the like; analyzing an SSH server program, dynamically tracking an sshd process by using a string, finding a hook point, detecting that only partial database data cannot be captured by testing the hook point, debugging a database client program by using a GDB, finding the hook point, acquiring SSH encrypted content by the hook point, caching the data, and analyzing the data to restore an order of an SSH encrypted client user operation;
after dynamically tracking the sshd process through a space, searching a hook point as a read function, compiling the hook read logic into a so file, writing in/etc/ld.so.preload file, and analyzing whether plaintext data is acquired or not as shown in figure 1;
as shown in fig. 2, debugging a related program when plaintext data cannot be acquired, and searching for a new hook point;
as shown in fig. 3, when the hook function is started, the SSH server program and the database client program call the libc library function.
Example 2:
the system for acquiring the SSH encrypted content of the multiple clients has the following characteristics: supporting whether to start the issuing strategy of evidence collection; the method can simultaneously realize batch evidence collection of a plurality of Linux servers and a plurality of clients, and accurately distinguish without mutual influence during evidence collection; whether the client operates on a system command (such as ls, ifconfig, etc.) or a database command (such as use, select statement, etc.), and the specific database type can be accurately distinguished; restoring the operation command of the client encrypted by the SSH through the cache data and the analysis logic; acquiring the connection condition of the SSH client in real time, recording the exit time once the SSH client is found to exit, and deleting the cache file and the junk file related to the client; the log recording function is supported, so that the operation record is convenient to check; the operation history record file stored by the current user can also be obtained;
the working procedure is as follows: after a user successfully logs in a Linux system Server through SSH client software, the client information is recorded and cached into a custom info file, after the client user executes a command, various system commands (such as ls, ifconfig, etc.) of the record operation and login and business operations (such as use, select, etc.) of various databases are cached as. Idata files, and the time when the client exits is recorded and cached as. Exit files.
1. When the evidence obtaining function is started
The acquired information comprises login user name, SSH client IP address, SSH client Port, SSH server IP address, SSH server Port, login time, exit time, system operation time, ASCII code and command, switching user name, database login time, database service operation time, ASCII information and plaintext data;
2. when the evidence obtaining function is not started
Only the information of all current login clients is obtained, wherein the information comprises login user names, SSH client IP addresses, SSH client ports, SSH server IP addresses, SSH server ports, login time and exit time.
The foregoing is merely a preferred embodiment of the present invention, and it should be noted that it will be apparent to those skilled in the art that modifications and variations can be made without departing from the technical principles of the present invention, and these modifications and variations should also be regarded as the scope of the invention.
Claims (4)
1. The method for acquiring the SSH encrypted content based on the HOOK technology is characterized by analyzing an SSH server program, dynamically tracking the sshd process by using a space, finding a HOOK point read function, finding that only partial database data can not be captured, debugging the database client programs through a GDB, and finding new HOOK point fgets and fwrite functions;
acquiring and recording SSH communication decrypted content through all hook points, and then acquiring SSH encrypted content through analyzing data; the method comprises the following steps:
1) After the SSH session is established successfully, acquiring a process PID and current time for calling the corresponding function, finding a target process according to the PID acquisition process name, recording the time for acquiring an SSH client command, an ASCII code character string, plaintext data and other information, and writing the information into a cache file;
2) Compiling the functional code corresponding to the step 1) into a dynamic library so file, writing the generated so file into a/etc/ld.so.preload or/etc/ld.so.cache file by using a Linux preload mechanism, preferentially writing the generated so file into the/etc/ld.so.preload file, creating a new structure if the file does not exist, and capturing and caching data;
3) The self-defined analysis method analyzes the cache data to obtain SSH encrypted content, and restores command content of SSH encrypted client operation;
the self-defined analysis method comprises the following steps: and if the position information read by the last file is updated, reading the cache data obtained from the last position, extracting time information, ASCII code character strings, plaintext data and other information, firstly processing the plaintext data character strings, determining key value information according to whether the characters are displayable or not and corresponding ASCII codes, then taking each complete command as a characteristic with an enter key as a finish, analyzing some special keys, and finally restoring the complete information.
2. A system for obtaining multi-client SSH encrypted content, wherein the method of claim 1 is applied, the system comprising a front-end portion and a back-end portion;
rear end portion: injecting a so library file into each SSH session related process group through a hook technology, caching the captured data, and controlling a user to delete operation behaviors;
the rear end part comprises a data capturing and caching module and a deleting operation control module;
data capture and caching module: acquiring and caching the captured data information such as time, PID, process name and the like, and recovering the original system calling process and the corresponding return value;
a deletion operation control module: managing the deleting operation behavior of the user through the authority according to the deleting operation control strategy;
front end portion: the shell script is used for completing the functions of starting, stopping, managing executable files and the like, and the executable binary files mainly complete the functions of user information management, data analysis and restoration, command type identification, strategy receiving and processing, automatic garbage cleaning and the like;
the front end part comprises a log generating module, a process daemon and self-starting module, a receiving and processing module of an analysis strategy, a data analysis and reduction and output module, a user information management module, a system and database command identification module, an output source control module, a scanning and logging information recording module, an automatic garbage cleaning module and a receiving and processing module of a deleting operation strategy;
and a log generation module: generating a log file for a user to check through simple parameter input, transmitting the log file to a designated database through a custom interface, and transmitting the log file to a special audit platform to be stored in any data source, so that the log file is convenient for the user to check;
process daemon and self-starting module: supporting a process daemon function, restarting when the client is abnormally exited, but not losing the operation information of the client during the abnormal period, supporting starting up self-starting, and starting to acquire information when the client is connected;
and a receiving and processing module of the analysis strategy: the method comprises the steps of providing a strategy file function of receiving and processing whether to start an analysis function or not, and achieving the purpose of simultaneously controlling a plurality of servers by designating an IP address of a target server;
and the data analysis, reduction and output module: processing information provided by the interaction module, processing data cached at the back end, analyzing corresponding system command and database command files according to PID information, respectively recording the current read position information of each file, and outputting the time and command information of the restored SSH client operation;
and the user information management module: managing information of a current login user of the SSH client and after user switching, wherein the information comprises login time, an IP address and a Port of the SSH client, an IP address and a Port of a current server, user exit time and the like;
system and database command identification module: identifying a system command and a database command according to the PID information, analyzing the specific database type, and providing corresponding information for other modules after identification;
an output source control module: receiving user login and exit information, receiving restored and identified system command and database command information, then providing various output interfaces, and storing the information into a file, storing the file into a database or sending the file to other data processing platforms and the like;
scanning and recording login information module: scanning SSH session which is successfully connected and exited in the current server in real time, acquiring PID information, determining a target PID for other modules to use according to the multi-level PID association relation, and then recording SSH client login information through a user information management module;
automatic garbage cleaning module: the method comprises the steps of providing PID information of an exiting SSH client through a scanning and logging information module, and automatically cleaning junk files of the client;
the receiving and processing module of the deleting operation strategy: and receiving and processing the issued deletion operation strategy, and controlling whether to allow the deletion operation of a user or backup before deletion according to the strategy, so that the strategy forms such as files, folders and the like can be supported.
3. The system of claim 2, wherein two different SSH client user behavior operation types can be distinguished according to the process of executing the command: marking the operation behavior of the operation system as a system command, marking the operation behavior of the database as a database command, and identifying the type of the specific database; from SSH session information, it is possible to obtain such as: information such as login user name, IP address, port number, login time, time and content of system command operation, time and command content of database operation, database type, user exit time, etc.
4. The system of claim 2, wherein the receiving and processing module of the resolution policy further has the following functions: different servers are distinguished according to the IP address, different SSH clients are distinguished according to the IP address and the PID, the control of the issuing strategy is supported, and the target server is designated through the IP address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110160507.3A CN112926050B (en) | 2021-02-05 | 2021-02-05 | Method for obtaining SSH encrypted content based on HOOK technology and application thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110160507.3A CN112926050B (en) | 2021-02-05 | 2021-02-05 | Method for obtaining SSH encrypted content based on HOOK technology and application thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112926050A CN112926050A (en) | 2021-06-08 |
| CN112926050B true CN112926050B (en) | 2024-02-09 |
Family
ID=76170744
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110160507.3A Active CN112926050B (en) | 2021-02-05 | 2021-02-05 | Method for obtaining SSH encrypted content based on HOOK technology and application thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112926050B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113810431A (en) * | 2021-11-19 | 2021-12-17 | 北京云星宇交通科技股份有限公司 | Method and system for traffic Internet of things terminal security detection based on Hook |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016082371A1 (en) * | 2014-11-25 | 2016-06-02 | 中国科学院声学研究所 | Ssh protocol-based session parsing method and system |
| CN107577468A (en) * | 2017-07-25 | 2018-01-12 | 郑州云海信息技术有限公司 | A kind of distance host login method and system with draw-bar box |
| CN108243187A (en) * | 2017-12-29 | 2018-07-03 | 亿阳安全技术有限公司 | A kind of automatic encryption method, system and service module based on SSH tunnels |
| CN108809964A (en) * | 2018-05-25 | 2018-11-13 | 浙江齐治科技股份有限公司 | A kind of resource access control method and device |
| US10333977B1 (en) * | 2018-08-23 | 2019-06-25 | Illusive Networks Ltd. | Deceiving an attacker who is harvesting credentials |
| CN113660292A (en) * | 2021-10-19 | 2021-11-16 | 北京安华金和科技有限公司 | Method and device for acquiring information of calling client main body |
| CN114462038A (en) * | 2021-12-31 | 2022-05-10 | 北京亿赛通科技发展有限责任公司 | Security protection method, device, equipment and computer readable storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013009621A1 (en) * | 2011-07-08 | 2013-01-17 | Venafi, Inc. | System for managing cryptographic keys and trust relationships in a secure shell (ssh) environment |
| CN114153702A (en) * | 2015-04-03 | 2022-03-08 | 甲骨文国际公司 | Method and system for implementing a log parser in a log analysis system |
-
2021
- 2021-02-05 CN CN202110160507.3A patent/CN112926050B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016082371A1 (en) * | 2014-11-25 | 2016-06-02 | 中国科学院声学研究所 | Ssh protocol-based session parsing method and system |
| CN107577468A (en) * | 2017-07-25 | 2018-01-12 | 郑州云海信息技术有限公司 | A kind of distance host login method and system with draw-bar box |
| CN108243187A (en) * | 2017-12-29 | 2018-07-03 | 亿阳安全技术有限公司 | A kind of automatic encryption method, system and service module based on SSH tunnels |
| CN108809964A (en) * | 2018-05-25 | 2018-11-13 | 浙江齐治科技股份有限公司 | A kind of resource access control method and device |
| US10333977B1 (en) * | 2018-08-23 | 2019-06-25 | Illusive Networks Ltd. | Deceiving an attacker who is harvesting credentials |
| CN113660292A (en) * | 2021-10-19 | 2021-11-16 | 北京安华金和科技有限公司 | Method and device for acquiring information of calling client main body |
| CN114462038A (en) * | 2021-12-31 | 2022-05-10 | 北京亿赛通科技发展有限责任公司 | Security protection method, device, equipment and computer readable storage medium |
Non-Patent Citations (6)
| Title |
|---|
| 2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC);Hirofumi Tsuruta等;《2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC)》;第171-1766页 * |
| Twitter加密网络行为自动识别方法;朱贺军等;《计算机工程》;第41卷(第12期);第166-170页 * |
| 一种负荷可调节的运动追踪系统设计;赵跃华等;《信息技术》(第2期);第177-181页 * |
| 基于Inject和Hook的安卓终端管控技术;秦中元等;《信息网络安全》(第09期);第66-73页 * |
| 基于红蓝对抗的拟态防御体系构建;崔晶等;《电信工程技术与标准化》;第34卷(第12期);第34-39页 * |
| 安卓平台下面向隐私保护的恶意程序分析与检测方法研究;尼见;《中国优秀硕士学位论文全文数据库》;信息科技辑 I138-92 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112926050A (en) | 2021-06-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108780485B (en) | Pattern matching based data set extraction | |
| US8166313B2 (en) | Method and apparatus for dump and log anonymization (DALA) | |
| CN106687971B (en) | Automatic code locking to reduce attack surface of software | |
| US7900044B2 (en) | Enterprise computer investigation system | |
| CN103294950B (en) | A kind of high-power secret information stealing malicious code detecting method based on backward tracing and system | |
| US7581136B2 (en) | Method and apparatus for data recovery | |
| Casey et al. | Malware forensics field guide for Linux systems: digital forensics field guides | |
| CN105827574A (en) | File access system, file access method and file access device | |
| CN110138731B (en) | Network anti-attack method based on big data | |
| US12088583B2 (en) | Permissions for backup-related operations | |
| Zhu et al. | General, efficient, and real-time data compaction strategy for APT forensic analysis | |
| CN111800405A (en) | Detection method, detection device and storage medium | |
| CN114207615A (en) | System and method for maintaining an immutable data access log with privacy | |
| CN111800295A (en) | Server audit management method, device and system | |
| CN112926050B (en) | Method for obtaining SSH encrypted content based on HOOK technology and application thereof | |
| CN102035847A (en) | User access behavior processing method and system and client | |
| CN109088872A (en) | Application method, device, electronic equipment and the medium of cloud platform with service life | |
| CN106919844A (en) | A kind of android system vulnerability of application program detection method | |
| CN111291001A (en) | Reading method and device of computer file, computer system and storage medium | |
| Davidoff | Cleartext passwords in linux memory | |
| Eterovic‐Soric et al. | Windows 7 antiforensics: a review and a novel approach | |
| CN114186222A (en) | Lesovirus protection method and system | |
| Lippmann et al. | Guide to creating stealthy attacks for the 1999 DARPA off-line intrusion detection evaluation | |
| Smorti | Analysis and improvement of ransomware detection techniques | |
| Bakshi et al. | Improving threat detection capabilities in windows endpoints with osquery |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |