pamspy leverage eBPF technologies to achieve an equivalent work of 3snake.
It will track a particular userland function inside the PAM (Pluggable Authentication Modules) library, used by many critical applications to handle authentication.
pamspy will load a userland return probe eBPF program to hook the
pam_get_authtok
function fromlibpam.so
. PAM stands for ‘Pluggable Authentication Modules’, and have a flexible design to manage a different kind of authentication on Linux.Each time an authentication process tries to check a new user, It will call
pam_get_authtok
, and will be here to dump the content of the critical secrets! pamspy - Credentials Dumper for Linux
so.cl
pamspy - Credentials Dumper for Linux
Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer
pamspy - Credentials Dumper for Linux