Coder Social home page Coder Social logo

llk's Introduction

0x00 LLK

LLK(Login Log checK&faKe) 是一个Linux登录日志伪造和检测日志伪造的工具,工作原理是通过读取和修改下面的二进制日志:

  • /var/log/wtmp (last)
  • /var/log/btmp (lastb)
  • /var/run/utmp (who & w)
  • /var/log/lastlog (lastlog)

项目地址:https://github.com/L-codes/LLK

0x01 Features

  • 支持python 2.x和3.x
  • 部分日志需要root的read和write权限
  • list: 可格式化的打印出二进制文件的内容,方便分析
  • check: 可自动基于日志之间的关联逻辑、时间和格式等检测人为伪造的日志记录
  • add/delete/modify: 具备添加、删除和修改等日志操作功能
  • import/export: 支持日志的格式化导入/导出功能(提高日志伪造的灵活性)

0x02 Parameter description

$ ./llk.py
usage: llk.py <command> [options] [-h]

<Commands>
  list      Print log
  check     Check log
  add       Add log    (only btmp)
  delete    Delete log (only btmp)
  modify    Modify log (only wtmp & btmp)
  import    Import log (only wtmp & btmp)
  export    Export log

$ ./llk.py modify -h
usage: llk.py modify [options]

positional arguments:
  {wtmp,btmp}      Log name

optional arguments:
  -h, --help       show this help message and exit
  -touser TO_USER  TO USERNAME
  -tohost TO_HOST  TO HOST
  -topid TO_PID    TO PID
  -user USER       USERNAME
  -host HOST       HOST
  -pid PID         PID
  -time TIME       TIME
  -start TIME      Start time. e.g. 2017/1/1-08:00
  -end TIME        End time. e.g. 2017/1/1-09:00
  --ignore-ctime   Ignore ctime. Avoid modifying system time

0x03 Use examples

list log

$ sudo ./llk.py list wtmp 

[+] "wtmp" log. (138 rows)
+------+-------+-------+----------+---------------------+-------------------+
| TYPE | PID   | TTY   | USER     | HOST                | TIME              |
+------+-------+-------+----------+---------------------+-------------------+
| 7    | 2945  | pts/1 | root     | 172.17.178.1        | 17/08/25 02:36:09 |
| 7    | 3127  | pts/0 | root     | 172.16.178.1        | 17/08/26 18:24:31 |
......
| 8    | 6922  | pts/2 |          |                     | 17/10/02 08:42:56 |
| 7    | 6942  | pts/2 | root     | 172.16.178.1        | 17/10/02 08:43:09 |
+------+-------+-------+----------+---------------------+-------------------+

check log

$ sudo ./llk.py check
[-] [ /var/log/btmp.1 ] Log is tampered with!!
[-] [ /var/log/wtmp.1 ] Log is tampered with!!

[-] [ btmp, 1 errers ] Find format or logical problem
+------+-------+-----------+------+--------------+-------------------+
| TYPE | PID   | TTY       | USER | HOST         | TIME              |
+------+-------+-----------+------+--------------+-------------------+
| 6    | 6549  | ssh:notty | a    | 172.16.178.1 | 17/08/31 03:01:46 |*
| 6    | 16192 | ssh:notty | test | 172.16.178.1 | 17/09/12 05:08:19 |
| 6    | 16192 | ssh:notty | test | 172.16.178.1 | 17/09/12 05:08:24 |
| 6    | 16192 | ssh:notty | test | 172.16.178.1 | 17/09/12 05:08:28 |
| 7    | 28972 | tty4      | root |              | 17/09/18 07:31:14 |
+------+-------+-----------+------+--------------+-------------------+


[-] [ wtmp, 2 errers ] Find format or logical problem
+------+-------+-------+----------+--------------+-------------------+
| TYPE | PID   | TTY   | USER     | HOST         | TIME              |
+------+-------+-------+----------+--------------+-------------------+
| 7    | 2945  | pts/1 | root     | 172.17.178.1 | 17/08/25 02:36:09 |*
| 7    | 3127  | pts/0 | root     | 172.16.178.1 | 17/08/26 18:24:31 |
| 7    | 4137  | pts/2 | root     | 10.1.100.10  | 17/07/19 10:47:38 |*
......

fake log

$ last
.....
root     pts/0        172.16.178.1     Fri Sep  8 22:40 - 22:40  (00:00)
root     pts/1        172.16.178.1     Fri Sep  8 11:42 - 11:46  (00:04)
root     pts/1        172.16.178.1     Fri Sep  8 11:16 - 11:37  (00:20)
root     pts/1        172.16.178.1     Fri Sep  8 04:43 - 04:57  (00:13)
hacker   pts/1        172.16.178.12    Thu Sep  7 21:24 - 00:54  (03:29)

$ sudo ./llk.py modify wtmp -user hacker -touser root -ip 172.16.178.1

$ last
.....
root     pts/0        172.16.178.1     Fri Sep  8 22:40 - 22:40  (00:00)
root     pts/1        172.16.178.1     Fri Sep  8 11:42 - 11:46  (00:04)
root     pts/1        172.16.178.1     Fri Sep  8 11:16 - 11:37  (00:20)
root     pts/1        172.16.178.1     Fri Sep  8 04:43 - 04:57  (00:13)
root     pts/1        172.16.178.1     Thu Sep  7 21:24 - 00:54  (03:29)

0x04 Problem

如在使用过程中发现bug或有好的建议,欢迎提交IssuesPull Requests

llk's People

Contributors

l-codes avatar

Watchers

James Cloos avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.