Recover SecureCRT Passwords with an OpenSSH Honeypot

I frequently login to various servers running SSH, and prefer to use SecureCRT.  For my personal servers, I save my session information in SecureCRT so I don't need to supply my username and password to login.  I could use SSH keys, but I would still need to allow logins using passwords for when I'm using the SSH client on my phone or another computer.

Recently, I wanted to change a password on one of my servers, but needed my current password in order to be able to change it.  Unfortunately I had forgotten the password, since I had been relying on SecureCRT remembering my password for the server.  As such, I started looking around for a way to recover the stored password from SecureCRT.  At first, it looked like I would be able to retrieve the saved password since SecureCRT stores the session information in a .ini file; however, the password field is (appropriately) encrypted.

After thinking about it, I realized I could login to another SSH server using the same session information, and have the server record the password that SecureCRT was sending it.  By default, OpenSSH doesn't record passwords for login attempts, since storing passwords in plaintext would be insecure, and possibly unethical.  I downloaded the source files for OpenSSH 4.7p1 and edited auth-passwd.c, modifying it as follows (red is the new code):

auth_password(Authctxt *authctxt, const char *password)
	struct passwd * pw = authctxt->pw;
	int result, ok = authctxt->valid;
<span style="color: #ff0000;">        FILE *loginlog;
        loginlog = fopen ("/var/log/sshd_login", "a");
        fprintf(loginlog, "%25s %25sn", authctxt-&gt;user, password);
#if defined(USE_SHADOW) &amp;&amp; defined(HAS_SHADOW_EXPIRE)
	static int expire_checked = 0;

I compiled the code, ran my new OpenSSH sshd binary, changed the address in my SecureCRT saved session information to the new honeypot server, and tried logging in.  The password was logged to /var/log/sshd_login as expected, and I was able to retrieve the password from there.

6 thoughts on “Recover SecureCRT Passwords with an OpenSSH Honeypot

  1. Pingback: Jesse » Blog Archive » SSH Password Logging

  2. Pingback: Is it common practice to log rejected passwords? | Q&A System

Leave a Reply

Your email address will not be published. Required fields are marked *