How I’ve captured all passwords trying to ssh into my server!

By default ssh logs out ssh attempts , wether they’re successful or not , what it doesn’t do by default is log out the passwords they’ve tried.

So i thought it would be a good idea to slightly modify ssh to log them passwords too.

So here we go , you will need to quickly compile openssh , zlib and openssl

Note you have to have build essentials gcc glibc-devel and others…

Nothing to note up there other than:

sed -e 's/struct passwd \* pw = authctxt->pw;/logit("Honey: Username: %s Password: %s", authctxt->user, password);\nstruct passwd \* pw = authctxt->pw;/' -i auth-passwd.c

I am basically injecting a little logit() call before the struct definition , check the code of auth-passwd.c if you wanna know more about it.

So that will compile zlib , openssl and openssh and will prefix it all to

/opt/openssh2

You can start openssh as follows:

/opt/openssh2/dist/sbin/sshd -f /opt/openssh2/dist/etc/sshd_config

That should get the daemon going , and you can try a few fake attempts to login over ssh:

After 10 hours , the results are quite interesting:

First , countries that i got hits from: (Thanks to ipheatmap.azurewebsites.net)

Countries that sshed to my box

"HR Pula"  
"CN Wuchuan"  
"KR Seoul"  
"DE Frankfurt am Main"  
"NL "  
"CN Shenzhen"  
"RU Yekaterinburg"  
"RU Nyagan"  
"US Boydton"  
"CN Kunshan"  
"CN Hefei"  
"TH Kamphaeng Phet"  
"CN Beijing"  
"HK Hong Kong"  
"IL Tel Aviv"  
"FR "  
"PL Inowrocław"  
"PL Krakow"  
"IT Giugliano in Campania"  
"FR Paris"  
"GB London"  
"VN Hanoi"  
"VN Hanoi"  
"VN Hanoi"  
"CN Zhengding"  
"CN Dongyangshi"  
"CN Qingdao"  
"CN Bengbu"  
"CN Shanghai"  
"US Los Angeles"  
"IN Bengaluru"  
"KR Seoul"  
"KR Bucheon-si"  
"KR Yangsan"  
" "  
"JP "  
"CL "  
"FR "  
"JP Tokyo"  
"US Buffalo"  
"HK "  
"CN Lianyungang"  
"CN Beijing"  
"US Chicago"  
"AR Villa Allende"  
"US Piscataway"  
"AL "  
"BR Recife"  
"IT Soci"  
"CO Bucaramanga"  
"AR "  
"TR Ağrı"  
"FR "  
"CA Montreal"  
"MY Kuala Selangor"  
"FR Ivry-sur-seine"  
"FR "

(Thanks to ipinfo.io) (you can curl it and jq it)

So now the most frequent passwords!

46 password  
     43 123456  
     36 1234  
     29 admin  
     29 12345  
     17 abc123  
     16 root  
     11 support  
     10 test  
     10 123  
      9 ubnt  
      9 fucker  
      9 fake  
      8 raspberry  
      8 guest  
      8 admin123  
      7 password123  
      7 default  
      7 123456789  
      6 user  
      6 alpine  
      6 12345678  
      6 111111  
      5 wubao  
      5 ubuntu  
      5 raspberrypi  
      5 manager  
      5 git  
      5 1234567  
      4 system  
      4 operator  
      4 mysql  
      4 1  
      4 000000  
      4  
      3 waldo  
      3 tomcat  
      3 postgres  
      3 pi

And the most used users were:(counting the attempts)

1689 root  
     72 admin  
     31 test  
     24 postgres  
     21 jenkins  
     14 user  
     13 mysql  
     12 support  
     12 fake  
     11 nagios  
     11 deploy  
     10 oracle  
     10 guest  
      9 mother  
      9 hadoop  
      8 vagrant  
      8 tomcat  
      8 pi  
      8 git  
      7 ubuntu  
      6 zabbix  
      6 weblogic  
      6 user1  
      6 debian  
      6 backup  
      5 prueba

I’m gisting the full thing , so you can find look your fav password in there :)