so.cl

Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer


pamspy leverage eBPF technologies to achieve an equivalent work of 3snake.

It will track a particular userland function inside the PAM (Pluggable Authentication Modules) library, used by many critical applications to handle authentication.

pamspy will load a userland return probe eBPF program to hook the pam_get_authtok function from libpam.so. PAM stands for ‘Pluggable Authentication Modules’, and have a flexible design to manage a different kind of authentication on Linux.

Each time an authentication process tries to check a new user, It will call pam_get_authtok, and will be here to dump the content of the critical secrets! pamspy - Credentials Dumper for Linux