pamspy: Credentials Dumper for Linux using eBPF
pamspy — Credentials Dumper for Linux
pamspy leverages eBPF technologies to achieve an equivalent work of 3snake.
It will track a particular userland function inside the PAM (Pluggable Authentication Modules) library, used by many critical applications to handle authentication like:
- and many other …
How does It work?
pamspy will load a userland return probe eBPF program to hook the pam_get_authtok function from libpam.so. PAM stands for “Pluggable Authentication Modules”, and has a flexible design to manage different kinds of authentication on Linux.
Each time an authentication process tries to check a new user, It will call pam_get_authtok, and will be here to dump the content of the critical secrets!
Copyright (C) 2022 citronneur