xzbot
knockknock
xzbot | knockknock | |
---|---|---|
2 | 3 | |
3,456 | 504 | |
- | - | |
5.2 | 0.0 | |
about 1 month ago | over 5 years ago | |
Go | Python | |
- | GNU General Public License v3.0 only |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
xzbot
-
Xzbot: Notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)
Instead of needing the honeypot openssh.patch at compile-time https://github.com/amlweems/xzbot/blob/main/openssh.patch
How did the exploit do this at runtime?
I know the chain was:
opensshd -> systemd for notifications -> xz included as transient dependency
How did liblzma.so.5.6.1 hook all the way back to openssh_RSA_verify when it was loaded into memory?
knockknock
-
Xzbot: Notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)
It's old and there are probably friendlier options out there now, but
https://github.com/moxie0/knockknock/blob/master/INSTALL
- Ssh brute force attack with fail2ban.
-
SSH server that changes listen address every 30 seconds based on TOTP
> Or is completely firewalled off from the world, and only accessible once you've authenticated yourself to your VPN. Or only reachable once you first authenticate (public/private keys, two factor crypto key auth, etc) to a bastion host, and then reach the system from the bastion.
There's a lot of attack surface in there. Port-knocking is supposed to be a way to reduce attack surface. It's a belt-and-suspenders approach to the reality that even fully patched openssh has exploitable bugs.
Using this tool, a MITM with an openssh 0day can just follow you in. KnockKnock [0] and tools like it do not suffer from this defect. This tool is conceptually similar to KnockKnock, using OTP instead of a monotonic counter. Using OTP opens it up to replay attacks.
https://github.com/moxie0/knockknock