pamspy: Credentials Dumper for Linux using eBPF
pamspy — Credentials Dumper for Linux
pamspy leverages eBPF technologies to achieve an equivalent work of 3snake.
It will track a particular userland function inside the PAM (Pluggable Authentication Modules) library, used by many critical applications to handle authentication like:
- sudo
- sshd
- passwd
- gnome
- x11
- and many other …
How does It work?
pamspy will load a userland return probe eBPF program to hook the pam_get_authtok function from libpam.so. PAM stands for “Pluggable Authentication Modules”, and has a flexible design to manage different kinds of authentication on Linux.
Each time an authentication process tries to check a new user, It will call pam_get_authtok, and will be here to dump the content of the critical secrets!
Use
Download
Copyright (C) 2022 citronneur
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
