Using PAM EXEC to Log Passwords on Linux

IppSec · Beginner ·👁️ Computer Vision ·2y ago

Key Takeaways

The video demonstrates using PAM EXEC to log passwords on Linux, including creating bash scripts and GoLang binaries to replicate the process, and discusses the importance of secure authentication practices. It covers various tools and techniques such as PAM, PAM Exec, pam.d, and Linux commands.

Full Transcript

what's going on YouTube this is IPC and we're going to be talking all about Pam the plugable authentication modules for Linux specifically we're going to be using Pam exec in order to log the passwords of users logging into the box using pseudo SSH uh whatever right and at first we're going to do it with the bash script and then we're going to convert that bash script to a goang binary so we can do some Advanced things in a future video we're going to take that go Ling binary instead of writing a file we will xill it via like HTTP or DNS I like using DNS because if there's a strict firewall in play DNS will allow us to um Traverse that firewall most likely because it's likely the server doesn't have direct access to DNS or to the internet but because of how DNS Works um as long as I can talk to a DNS server and that DNS server talks to the internet you'll still be able to get out so I like using DNS as an xfill for things like this but that's covered in a future video this is all about like an introduction to Pam and this isn't anything new I just want to like talk about Pam a bit so you understand when it comes to the next video um and for starters when you want to learn about something I don't like just asking chat G or chat GPD as many people call it because it tells you exactly what you asked for you don't know what you don't know so it's hard to ask for like everything about it so I like starting with the man page and this Pam is not a map file format guess it's case sensitive so there we go we have Pam the pluggable authentication module in ESS what this allows people to do or services to do is to authenticate against the local Linux database if you wanted to roll your earn authentication which you almost never should do you'd have to take a lot of things in consideration you'd also have to run as root because you have to open the shadow file and then you have to read the hash you have to understand all the like hashing things that could be there it may be bcrypt it may be like YP it has a bunch of just formats that are weird and then once you validate the password's good then you have to say hey um what group is this user of is the password expired do you have to change the password at next login uh what is their shell like there's a bunch of just things you have to do after that so Pam gives you just like an API to do a login and get all that information automatically so it is a super handy thing definitely read the man page um if we look we can see Pam is separated into four independent groups we have account management authenication password and session management um but instead of just reading the whole man page let's just look at exactly how it's configured so the Pam scripts are in pam. D if we look at all these we have a bunch of scripts right the one we're going to focus most is SSH and common uh common off I think but you also have things like VM tools this may be surprising to you but um hypervisors Can invoke commands normally on guest computers so like I think Venter has invoke guest command I forget what hyperv calls it uh proxmox also can accept I don't think proxmox requires authentication on the guest to run a command on VMware tools um but if we look at the Pam module we can see it's just going to include common off and then Pam shells I don't know exactly what Pam shells is so let's do a man on Pam shells to understand what this does and it only allows access to a system if the user shell is listed in Etsy shells so this way if we used invoke guest command on like um VMware where is the shell located Etsy shells it will only allow execution if the shell is in here right so if it's a bin no login it's not going to pass authentication which is good right so that is how the VM tools Works um let's look at uh let's see you got s-l run user- L there's also Su let's look at SSH so let's do vim sshd and we can see it starts off again including common off then we disallow non-root logins when Etsy no login exist so let's look at exactly what Pam no login is let's go man Pam no login and Pam no login is a module that prevents users from logging into the system when VAR run no login or Etsy no login exists the contents of the file are displayed to the user um so this is probably just a list of users that can't log the Box um if you just asked chat GPT what it is it would probably tell you this you wouldn't know it has an argument so if you wanted to you could give a custom line in that sshd to give it a Etsy no l- SSH so this pan module would only take effect on the SSH uh service and I know I think there's like a deny users function in the sshd config that you could use you probably should do it that way because that's a standard way but this is just like learning how it all works right so the main thing we want to look at is Pam exac this is going to be the module where we spend most of the time so this calls an external command and there are plenty of legitimate use cases for this but every legitimate use case gets replaced by them just making a custom Pam module for that functionality um I would probably recommend removing this library from your computer because I don't think anything legitimate uses it you could do like a uh gp-r Pam EXA on this to make sure nothing's there before you remove it so you don't break anything but this allows running a command and the most dangerous thing is this expose off token which is going to put the password on standard in it also exports a few environment variables we have Pam our host our user this is remote host remote user you got the service the TTY the user and type you may be thinking why is there user and remote user think when you're running a like Su command the r user is probably going to be your username in my case IPC and then the user is going to be who you're going to which would be root right so that is how all that works if we go down it gives like an example I don't like the example the man page gives it's kind of out of date it's talking about the NIS database which is I think Network Information Services um it's a central authentication thing kind of like ldap but it's really old and essentially whenever um a user changes the password it's going to um use set euid which will switch to the user logging and then run the mate command to make this database right but let's think of other use cases of exact and again every use case is going to be replaced by its own like Pam module the best one I can think of that uses like the Expos off token would be having a Bas script run whenever a user logs in to mount a SMB directory because Linux won't just do that automagic like NTM authentication because it doesn't store the password and memory for that user so you would have a Pam module that when the user logs in it would have Pam EXA it exposes the authentication token because it needs to run the mount command to mount that S&B share as the user and it needs to know the user's password to uh Mount that share right um there is a pamore Mount library that probably does everything better so that's how you probably should do it but you could do it through the Pam exact module right you could also have a Pam exact module like run IP tables commands based upon the user logging in to allow them access to different resources but I think there's a Pam IP tables library that would probably be better off um you could also like when a user logs in execute some binary that does multiactor authentication but again if you're using like Google MFA they have their own Library you install so all the use cases of Pam exec that I can see kind of get replaced by just using um functionality that is like that library is built for but what we're going to use it for is exfilling or writing the password of logging in users so let us um go with this and I want to make sure I don't have a artifact I don't so we're going to log to V log passwords right um let's go in V I'm going to call it logger and we can say it's going to be a shell script and all we want to do is log the DAT then we want to log the Pam user this is going to be exported in the environment variable and then we can say cat and then Dash that's going to get standard in and let's see we probably want um Pam our host and then Pam our user and then let's log this to ver log password.log so now we have our shell script here we want to make it executable so we'll do chod plus X and now we want to edit common off so pseudo V Etsy um pam. D common off and we want to put it at the top the first one if we do it too far down like after this Pam deny I think invalid login attempts won't happen um we also if we do it too far down the chain there's a chance that the token gets destroyed and even if we have exposed token we can't read the password so I generally put it as the first line um we can put it right there before that comment right so we'll do off optional and then Pam exec doso quiet and then we'll do expose off token and then it's going to be home IPC Pam logger and that's where a script lives you can put it wherever you want right you could do like user local bin logger if you want so now we have that let's go that LS VAR log was it passwords dolog doesn't exist let's SSH Local Host I think I have SSH running let's put a bad password I did ASD look at this that log log now exist let's C it and we can see the line entry let's just do a tail-f on it right so if we do please subscribe we see that goes there now let's just do password which is the password I have on this box and it logs right in right so let us edit this um thing did we do it here I'm going to move this down to the bottom now let's tail F we have S a bad credential no longer happens we didn't get anything here because again the um it happened after that Pam deny right it exits before then I like logging invalid passwords because sometimes like users have different passwords they type the wrong password to log into a box and that password's good elsewhere so it's handy to know invalid passwords um let's see we could also make sure we're getting pseudo so if I do pseudo who am I we do password uh we did not log it I wonder if that's just a fault with a bash script I could have swore uh this should work let's do su um maybe I should move this to the top uh we do it here pseudo V let's see move this line here because I don't know the password of root here it may be like disabled I want to make sure it's logged but huh maybe the bash script is not logging it for whatever reason I'm not sure we'll see if it works once we switch over to goang I might have to look more into exactly what's going on uh I thought it should work um I'm confused but The Show Must Go On I guess uh let's get rid of this I don't like bash scripts we'll do go Lan hopefully it works once there um so let's do a go mod AIT and I'll call it logger that's how we start the project and we'll touch main.go and let's open up VIs ual studio now um I like goang because it creates a binary you could do it in Python but it depends if you have all the libraries there um I just find goang works better and I don't know why Visual Studio did not open PF grap vs code grap code uh hello there's something wrong with my Pam module and like Visual Studio using it what is going on okay I have no idea but was this in SSH connection no oh well we got it it was probably like an Su or something weird and it lost the X session I have no idea let's just start uh we did package main let's do Funk Main and let's see how do we start this program off well we want to open up the file so we'll do file error and then OS open file and we'll call it uh let's actually create a global variable so we have to like change if we open the file multiple times so we'll call this uh log file uh let's see VAR log file string is equal to VAR log uh pass ws. log I think that's how we do it log file and then we want to give it what um OS create a pen right that looks fine uh read I guess that's fine I don't know why it just suddenly changed on me let's give it a we have a pen uh that looks fine okay if error is n uh we don't want to panic I'm always scared to panic when I do these pan modules because there's a chance if it's configured wrong you exit with a nonzero then it denies the login and we don't want to deny logins because we lock everyone out so we're just going to fail open this is not like proper go to just say hey if it's an exit Let's ignore it and exit like everything happened but we definitely don't want to lock the system out that defer is going to close the file Handler when this function exits so now we want to grab all the environment variables so I'm just going to say vs is equal to os. Environ and now we want to grab the password so we'll say our password string and then to read standard in we can use the fmt module and say scan the address of password so that's going to read standard in and write it to this string so now that we have all that we want to create the logger and for the logger I'm going to use zero log because I like writing in Json um I just find like it goes to elastic search super easily it's easy to search things like Json just the way to go for me so we'll say go get because this is going to be a non-standard Library github.com rs0 log this is my favorite logging Library we install that and we can tell the logger to use Zer log give it the log file we want with timestamp and logger that is all good so now what we need to do is just write the log entry so we can say loginfo and then we give it the interface which is going to let us um log a uh slice so we'll say the vs is going to be vs and then we want the password I'm just going to do string password is going to be password and then message we'll say Pam exact dump PW is the message everything looks good if you're getting an error here then your Visual Studio probably freaked out and put like log there and you don't have this zero log um sometimes that happens just replace log with zero log log and I think this is all we need so let's do a go build and now we have logger so if we uh let's do tail-f ver log password.log let's do SSH Local Host put a password in and we get it out in Json format we can see the password is Please Subscribe that we put if we do password we have that uh if we wanted to we can also uh look at it in JQ and see all the things in clean um we have this SSH connection thing which is a variable that SSH put in and this is going to be the source address and then the source Port um that's 53 5724 um and then the destination and Port it's probably more clean if we show this live uh let's see pseudo V bar log passwords just making sure I'm still recording kill that so now the DF will work because we only have Json output so give a few lines and I'm going to hope I can open up CMD yes I can SSH uh let's see what is this IP I think it's 192 168 587 hopefully this is right we'll do password there we go awesome so this is my host IP then we have the Emeral port and it's connecting to the box on Port 22 the user was ipsec SSH this right awesome uh but the one thing I like knowing is if the connection was successful or not and there's probably going to be a better way to do this um I don't know how to like have the pan module export if it's successful or not so what we're going to do is a huge hack but I mean it works so I'm going to call this executable twice if it's a successful one so let's do pseudo V common off so we're going to call it up here and then call it at the end and when we call it at the end we're not going to expose the off token we're just going to call it so the password's going to be blank so what that enables us to do is say if the length of password is equal to zero uh we can type then we're going to edit the line and I know um if user has blank PW or if remote user uses blank PW chaos because they could log in with a blank password then hit this function and just screw things up but um we're not going to worry about that bug because it doesn't really affect too much and if the password is greater than zero we're just going to dump it right so we want to create this edit line function so we're going to say funk edit line and I'm going to pass in the username that way like we can make sure that we have the right line uh just better error handling I guess so let's open up the file again so we'll do file error OS open file log file and we want um OS o create and then Oso um read write what the hell just happened my IDE is cracked Oso read right okay oh because that's a pipe not a comma there we go and then the permission uh 0644 probably right that's what we should do we should not do all sixes there we go you want to make sure you don't have OS append here if you do um it's going to write things multiple times and append it um because that gives you the append permission you won't be able to go back and replace things so make sure OS append is not in this file so once we open the file we want to create a um slice of string and we're going to read the file into this so uh we also need a um scanner so we can read the file we're going to use buff iio new scanner on our file and then we're going to read everything into this slice and we can grab the um last line by going to the like how many lines there are then back one so now we got the very last line and now we want to create a search string so this search string is going to be validating that um the last line is indeed the username that is logging in so we'll do search string and then what we want to do is probably just a tail one our log passwords Let's see we want to grab the Pam user is equal to IC so this is what we want we grab this and let's see this is going to be a Sprint F we can do percent s here and then comma username there we go if you're curious why I'm using backticks these I think are called runes um in go Lang you can encapsulate strings with double quotes or um runes the back ticks you can't use single quotes most people use the back ticks because it's a more characters so you don't have to worry about like escaping quotes and things like that so there we go so now all we want to do is say um if strings contains the last line in search string we don't care about that so here we're in like the um last line is that user so I'm going to call edit line and we're going to replace a variable um and we got to add this variable here so what we're going to do is string result and we need a word that is going to be the same number of characters because I'm just doing inline replace I don't want to worry about padding and things like that I think failure and success they are both the same number of characters so first we can write failure and then here we're going to replace the failure to true so replace um let's see the last line and then oh what is this going to be I want to say result colon failure I think that's how it's going to write it just in Json format okay so now we have that we want to create a writer so we can write to this uh like write the log file so we do buff IO new writer and we want to seek to where the last line begins we could probably seek to just wear the fail like right here but that's going to be harder than just going to the line or we could just um edit the like slice in the last line and rewrite the whole log file but that's a lot of extra file IO that we don't need I'd rather just replace the last line so we'll do if uh let's see error and we can say file seek and we want to get to the offset so let's see we'll call this um last line offset I guess and that's going to be the length of last line and I think either minus one or minus two because you have the um line break right and the file seek is going to be a negative number and that's easier if I do it that way so in 64 last line offset and then we do IO uh what is it seek end this is going to go to the end of the file and then go backwards to the last line right so after that what do we have error nil that's fine now we want to write y so we're writing like we did seek to the last line and now we're going to write it and we screwed up our casing there and we probably just want a flush at the end and if we did everything correctly this is going to work and if you've watch my videos long enough you know there's probably going to be some type of error uh definitely have to call it edit line and we're going to do OS get environment am user there we go the E is not capital okay Moment of Truth uh let's see this is already in an SSH connection we can just do go build let's do tail-f bar log passwords okay are we ready aate Local Host bad password we only wrote once uh we should pipe to JQ and the result was a failure that is good let's few lines give it the correct password only one entry it's still failure but maybe tail did not see us edit this let's do it again and there we go we got the success so what's happening there is tail read when it wrote the line the first time and then did not read when we seek to the last line and replaced it right so this this is working flawlessly first time that is amazing we did like a pseudo let's do pseudo who am I uh it says failure but again I bet we reread it it a success odly enough the our user is the same that is odd if we do su I think we can see it is a fail but we see it's calling s-l the user it wants to go to his route the user you're calling it is me so that is going to be the first uh Pam video right and then the next video we're going to be um sending it over https and then also after that we're going to be um doing it over DNS and we'll have to do like some encryption there because we don't want to send the passwords in plain text and again the whole reason for that is it's a good way to buypass a lot of network ACLS because when you make a DNS request to the DNS server then the DNS server makes another request it's not using the IP of the server it uses its own IP and a lot of DNS servers can resolve to the Internet so there's a high chance of you being able to keep that connection alive getting all the credentials if you're doing it over like a DNS xfill so with that being said hope you guys enjoyed the video take care and I will see you all next time

Original Description

Video will be public June 2nd 00:00 - Introduction 01:04 - Talking about what PAM is 05:00 - Talking about pam_exec 08:15 - Creating a bash script pam_exec calls to log passwords 12:20 - Creating a GoLang binary that replicates our Bash Script to log passwords 16:00 - First iteration almost done, dumping all passwords 18:38 - Explaining how we will add if the authentication was successful in our log file 22:30 - Replacing the last line in the log file, probably wrong about runes here but yolo 26:30 - Modification complete! Showing our logger works and dumps all the passwords
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

This video teaches how to use PAM EXEC to log passwords on Linux, including creating scripts and binaries, and discusses secure authentication practices. It's essential for understanding Linux authentication and password logging. The video provides hands-on examples and code snippets to help viewers learn and implement the concepts.

Key Takeaways
  1. Create a bash script to log passwords using PAM Exec
  2. Make the script executable
  3. Add the script to the /etc/pam.d/common-auth file
  4. Configure the script to log invalid passwords
  5. Configure the script to log the pseudo user
  6. Use back ticks instead of single quotes for string literals in Linux commands
  7. Use inline replace to modify the last line of a log file without rewriting the entire file
💡 PAM EXEC can be used to log passwords on Linux, but it's crucial to handle passwords securely and not send them in plain text.

Related Reads

Chapters (9)

Introduction
1:04 Talking about what PAM is
5:00 Talking about pam_exec
8:15 Creating a bash script pam_exec calls to log passwords
12:20 Creating a GoLang binary that replicates our Bash Script to log passwords
16:00 First iteration almost done, dumping all passwords
18:38 Explaining how we will add if the authentication was successful in our log fil
22:30 Replacing the last line in the log file, probably wrong about runes here but y
26:30 Modification complete! Showing our logger works and dumps all the passwords
Up next
9-Phase Computer Vision Roadmap 2026 | AI & Deep Learning | #shorts
SCALER
Watch →