Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer

pamspy - Credentials Dumper for Linux

pamspy leverage eBPF technologies to achieve an equivalent work of 3snake.

It will track a particular userland function inside the PAM (Pluggable Authentication Modules) library, used by many critical applications to handle authentication.

pamspy will load a userland return probe eBPF program to hook the pam_get_authtok function from PAM stands for ‘Pluggable Authentication Modules’, and have a flexible design to manage a different kind of authentication on Linux.

Each time an authentication process tries to check a new user, It will call pam_get_authtok, and will be here to dump the content of the critical secrets! pamspy - Credentials Dumper for Linux