Thread replies: 28
Thread images: 2
Thread images: 2
File: ssh[1].png (12KB, 256x256px) Image search:
[Google]
![ssh[1].png](https://i.imgur.com/hSSbiOP.png "ssh[1]")
12KB, 256x256px
https://thehackernews.com/2017/07/ssh-credential-hacking.html?sthash.m5hRJfx7.mjjo
>Dubbed BothanSpy — implant for Microsoft Windows Xshell client, and Gyrfalcon — targets the OpenSSH client on various distributions of Linux OS, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu.
>Both implants steal user credentials for all active SSH sessions and then sends them to a CIA-controlled server.
Discuss
>>
Gyrfalcon needs root to install on the local machine so it's literally fucking nothing
https://wikileaks.org/vault7/document/Gyrfalcon-2_0-User_Guide/Gyrfalcon-2_0-User_Guide.pdf
>>
1. unset HISTFILE
2. export HISTFILE
3. HISTSIZE=0
4. export HISTSIZE
5. TERM=vt100
6. export TERM
7. PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin …
8. export PATH
Thanks CIA
>>
>>61349643
cia cant hack me if i keep my computer turned off, checkmate
>>
You have already lost if adversary has had a chance to install this to your system in a first place.
>>
>>61349970
It could be done by other cia/nsa exploits
>>
>>61349643
this sounds scary, but on this requires installing binaries on the target machines.
I mean, in reality, if you have the administrative abilities to install software on a machine you can install software that does pretty much anything you want it to.
If this were some sort of remote/mitm exploit i would be much more concerned, but seeing as how it requires one to actually install the software.. id give it a 6.5/10
I guess it could be inserted as trojan and be effective, but thats why you dont install software from outside your trusted repositories
>>
>>61349970
Yes, this is my point exactly.
This exploit is just an afterthought.
if the attacker has the ability to install it in the first place, that is what is most worrisome.
What needs to be guarded against is not this specific package but rather the vector by which it can be installed
>>
>>61349999
then those are the interesting exploits. This is just a tool to steal credentials on a system you've already gained root on. It's basically a special-purpose keylogger.
>>
>>61350030
>change your root password hurrdurr
that's literally it
>>
>>61350044
exactly.
>>61350048
Exactly this too. Becuase every CIA/NSA exploit requires them to enter your password before it can execute on your machine.
I cant believe not a single CIA or NSA agent ever considered that someone may just change their password, thus making their multimillion dollar software worthless.
You got it anon, the achilles tendon in every NSA exploit... damn, I should change my email password so they stop reading it, brb
>>
File: europes-most-depressed-countries-in-one-chart-1424698193.08-9594234.png (121KB, 2357x1563px) Image search:
[Google]
121KB, 2357x1563px
why would this kind of stuff not reveal itself during security audits? I mean a project like openSSH probably has been through a lot of audits in its lifetime. Are those tests mainly just black box?
>>
>>61350101
nah, most of the people who work on these projects work for various government organizations.
They work on these other projects and purposefully insert sections of code with hard-to-catch vulnerabilities.
time goes on, the exploit is discovered and the same group of people 'patch' it and a new vulnerability implanted somewhere else.
Many software companies, like Microsoft, and certain open source projects, like Ubuntu are simply part of the military-industrial complex now
>>
>>61349643
>No exploits listed for TempleOS.
Wew lad, im safe.
The only safe OS out there anymore
>>
>>61350101
Anyone can record traffic. That's not on SSH.
Anyone with root access to system can do pretty much everything they want, including collecting users and credentials from OS files and memory, record keystrokes.
SSH is pretty much collateral damage at this point, it could be any other protocol/communication method the attacker is interested in. This tool automates collection of information from outside of the scope of SSH implementation.
Gyrfalcon, by it's functionality is pretty much log parser + keylogger with root priviledges
>>
>>61350187
I agree, but its slightly more complex seemingly.
It infiltrates memory and pulls out key information when needed.
but yes, ssh is pretty much collateral damage at this point.
>>
So basically this is the CIA waving their big dick around, saying
>we can elevate to root privileges on any computer we want :^)
>>
>>61350236
You are right, it is more complex. But I think root access summarizes it nicely, everything is possible. It's only a matter of imagination and target's awareness/monitoring capabilities.
>>
>>61350251
With adequate resources and time, every system can be compromised and not only by CIA.
>>
>>61349735
>>61349970
>>61350018
>>61350030
>>61350085
>>61350124
>DAMMAGE CONTROL
Wikileaks is not going to publish any attack vectors until they get fixed and at that point you pundits will again claim "literarily nothing". Payload is payload and needs to be looked in the whole context: CIA, instead of protecting US citizens from cyberthreats, opted to actively develop, look for and weasel in security holes into different products, these payloads are just the cash in part of the whole operation
>>
>>6135031
Ofcourse, but while you're discussing these leaks you should keep in mind what each component of a leak really is. These tools are just tools, that require pre-existing access to system and root priviledges. It's not damage control to discuss the scope and actual capabilities of the tools included in the leak.
You said it yourself, payload is a payload. Payload needs an exploit to be delivered. Exploit is the problem.
>>
>>61350312
>>61350388
>learning to post
>>
>>61350312
>>DAMMAGE CONTROL
>Wikileaks is not going to publish any attack vectors until they get fixed and at that point you pundits will again claim "literarily nothing".
False and stupid.
> Payload is payload and needs to be looked in the whole context: CIA, doing domestic shit
You idiot, OP was clearly slanted at going OOHH LEENOOX IS VULNERABLE. If you wan't to start a thread talking about CIA niggers then do so.
>>
>>61350474
>OP was clearly slanted at going OOHH LEENOOX IS VULNERABLE
>half of the news is windows related
>wat
>>
>>61349643
I once deleted my ~/.ssh/ folder. I was very glad to be able to extract my keys the the RSS of ssh-agent.
>>
>>61350312
this
>>
>>61350018
what if you killed a guy in charge of a linux distro so you could sneak your backdoored stuff in?
>>
>>61349963
Better unplug from mains because if your PC isn't and ethernet is connected they can just boot it anytime they like.
Thread posts: 28
Thread images: 2
Thread images: 2