The ease of (ab)using X11, Part 2
By Bri Hatch.
Summary: Abusing X11 for fun and passwords.
Last time we looked at how you can get access to an X11 server, the desktop
software you are using when you're running graphical environments like
Gnome or KDE. When you have access to the X11 server, you can do
some remarkable things.
As an example, I previously showed you how to open an
xterm on the users screen to leave
them a message. Rather than use an
xterm, it's much easier to use
xmessage, which will pop up a window and can even
have programmable buttons.
xmessage as our target program, let's recap. First, log
into the victim's desktop, become root, and set
up your environment to access his X11 server:
home$ ssh victim_desktop
victim$ sudo /bin/ksh
victim\# export XAUTHORITY
victim\# export DISPLAY
At this point, you have access to the server and can do anything, for example
victim\# xmessage "Hey, Fernando, don't forget to walk the dog."
You won't see anything of course - the window went on Fernando's screen.
Ok, so you can plop up some windows, big deal, right? What fun is that?
Here are some other fun things you could do:
- Don't like the desktop background? Change it easily with
Can have a particularly disastrous effect on a machine at work depending on the
content you choose.
- xlsclients -l
- Provides you a list of all X11 clients that are running on the machine. The output includes the
window id that you'll need for some commands below.
# xlsclients -l
Icon Name: kterm
- xwininfo -id windowid
- Display verbose information about existing window, such as the title name, size, location, etc. This gives
you more information for finding the window you're interested in for any of the other commands below that use
- xkill -id windowid
- A quick and efficient way to kill X11 windows. Purely a malicious activity.
xwd is an X window dumper - it dumps a screen shot of any window you request, or the whole screen. When used interactively, it will let you
move the mouse and click on the window in which you're interested. If you want a
specific window, you can specify it with
xwd -id windowid, or you
can choose the root window with
. To be surreptitious,
you probably want to use
-silent as well, to keep it from ringing
So, the following would give you a screen shot of the entire desktop, and convert it to a .png file for viewing on your machine:
# xwd -root -silent - | convert - fernando.png
- xev -id windowid
- xev can attach to an existing window and show you all X11 events that occur. Great for seeing in which windows the
user is active. Since keypresses are events, you can see everything they type, though it's not the cleanest way, we'll
see better options later.
- This one is not a part of your standard X11 distribution, however you can easily find
the source code via google. Xkey will watch for X11 keyboard events and prints the characters
to the screen - a great way for sniffing the keyboard for passwords, as seen here:
convert /tmp/rack.jpg network-rack.png
scp network-rack.png isp.example.net<<Shift_R>>:
mutt -a network-rack.png
In the output above, you get to see in gory detail exactly what the user is typing -- not
only do you get to see that the password for the account at isp.example.net is
d@rPaneT, but you can see exactly which
shift keys (left or right) were used in the attempt.
x2x, you can connect your mouse and keyboard to their display. You can use this to
either play games by moving their mouse around, or more maliciously you can use this to send input to their
For example, use
xev to determine they're not doing anything, and then start typing
in their shell. Start up a
netcat daemon in listen mode, connect to their machine
on that port and have straight shell access to their account. Anything's possible.
- Want full blown access to the X11 server? Run an
x0rfbserver on their display and
you can connect to it with a vnc client to have complete control of their desktop. Valid for helping
folks out remotely, but deadly when done maliciously.
Hopefully this gives you a good idea why it's so very bad to allow access to your X11 server.
Next time I'll address how you can keep your X11 server safe, and how your X11 server
may not be safe even if your desktop is completely locked down; even if no one has
access -- much less root access -- to it.
 I have slapped myself appropriately for having forgotten
the proper tool and announcing my ignorance to the world. Thanks to the
dozen people who reminded me what I was looking for, you're clearly on the
ball more than I.
 You need to
ignore the <<Shift_>> entries in the output - you can prevent them from being displayed
by editing the xkey.c source code
 If you aren't in a window, you can move your mouse (on their screen) around until you are --
you can see which window is active by using
xdpyinfo | grep focus.
Bri Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs.
He looks back on his college days of playing xtank at 3am
and wonders "Did anyone steal my passwords when we all ran 'xhost +' " ?
Bri can be reached at firstname.lastname@example.org.
Copyright Bri Hatch, 2004
This is the June 08, 2004 issue of the Linux Security: Tips, Tricks, and Hackery newsletter. If you wish to subscribe, visit http://lists.onsight.com/ or send email to Linux_Securityemail@example.com.