8000 Password not dumped within Kali VM · Issue #2 · citronneur/pamspy · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Password not dumped within Kali VM #2
New issue
New issue
Closed
Closed
Password not dumped within Kali VM#2
@ariary

Description

@ariary
ariary
opened on Jul 6, 2022

Issue:

  • Compilation Ok, execution Ok
  • Correctly catch sudo, su, etc command
  • Correctly catch user initiating the command
  • Do not catch the password used

Output example:

2071   | sudo            | kali                 | 
3313   | sudo            | kali                 | 
4137   | sudo            | kali                 | 
4223   | passwd          | test                 | 

Additional information:

New to eBPF stuff etc, so I can not find what cause this for now.

  • Kali is running on VM
$ uname -a
Linux kali 5.15.0-kali3-amd64 #1 SMP Debian 5.15.15-2kali1 (2022-01-31) x86_64 GNU/Linux
$ /usr/sbin/ldconfig -p | grep libpam.so | cut -d ' ' -f4
/lib/x86_64-linux-gnu/libpam.so.0
$ sudo ./pamspy -p $(/usr/sbin/ldconfig -p | grep libpam.so | cut -d ' ' -f4) -v
libbpf: loading object 'pamspy_bpf' from buffer
libbpf: elf: section(2) uretprobe/pam_get_authtok, size 392, link 0, flags 6, type=1
libbpf: sec 'uretprobe/pam_get_authtok': found program 'trace_pam_get_authtok' at insn offset 0 (0 bytes), code size 49 insns (392 bytes)
libbpf: elf: section(3) license, size 13, link 0, flags 3, type=1
libbpf: license of pamspy_bpf is Dual BSD/GPL
libbpf: elf: section(4) .maps, size 16, link 0, flags 3, type=1
libbpf: elf: section(5) .BTF, size 1566, link 0, flags 0, type=1
libbpf: elf: section(6) .BTF.ext, size 572, link 0, flags 0, type=1
libbpf: elf: section(7) .symtab, size 144, link 12, flags 0, type=2
libbpf: elf: section(8) .reluretprobe/pam_get_authtok, size 16, link 7, flags 0, type=9
libbpf: looking for externs among 6 symbols...
libbpf: collected 0 externs total
libbpf: map 'rb': at sec_idx 4, offset 0.
libbpf: map 'rb': found type = 27.
libbpf: map 'rb': found max_entries = 262144.
libbpf: sec '.reluretprobe/pam_get_authtok': collecting relocation for section(2) 'uretprobe/pam_get_authtok'
libbpf: sec '.reluretprobe/pam_get_authtok': relo #0: insn #21 against 'rb'
libbpf: prog 'trace_pam_get_authtok': found map 0 (rb, sec 4, off 0) for insn #21
libbpf: loading kernel BTF '/sys/kernel/btf/vmlinux': 0
libbpf: map 'rb': created successfully, fd=4
libbpf: sec 'uretprobe/pam_get_authtok': found 3 CO-RE relocations
libbpf: CO-RE relocating [10] struct pt_regs: found target candidate [174] struct pt_regs in [vmlinux]
libbpf: prog 'trace_pam_get_authtok': relo #0: <byte_off> [10] struct pt_regs.di (0:14 @ offset 112)
libbpf: prog 'trace_pam_get_authtok': relo #0: matching candidate #0 <byte_off> [174] struct pt_regs.di (0:14 @ offset 112)
libbpf: prog 'trace_pam_get_authtok': relo #0: patched insn #1 (LDX/ST/STX) off 112 -> 112
libbpf: prog 'trace_pam_get_authtok': relo #1: <byte_off> [10] struct pt_regs.dx (0:12 @ offset 96)
libbpf: prog 'trace_pam_get_authtok': relo #1: matching candidate #0 <byte_off> [174] struct pt_regs.dx (0:12 @ offset 96)
libbpf: prog 'trace_pam_get_authtok': relo #1: patched insn #3 (LDX/ST/STX) off 96 -> 96
libbpf: prog 'trace_pam_get_authtok': relo #2: <byte_off> [10] struct pt_regs.dx (0:12 @ offset 96)
libbpf: prog 'trace_pam_get_authtok': relo #2: matching candidate #0 <byte_off> [174] struct pt_regs.dx (0:12 @ offset 96)
libbpf: prog 'trace_pam_get_authtok': relo #2: patched insn #9 (LDX/ST/STX) off 96 -> 96
[...]

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0