pamspy - Credentials Dumper for Linux
pamspy leverage eBPF technologies to achieve an equivalent work of 3snake.
It will track a particular userland function inside the PAM (Pluggable Authentication Modules) library, used by many critical applications to handle authentication.
pamspy will load a userland return probe eBPF program to hook the
pam_get_authtokfunction fromlibpam.so. PAM stands for ‘Pluggable Authentication Modules’, and have a flexible design to manage a different kind of authentication on Linux.Each time an authentication process tries to check a new user, It will call
pam_get_authtok, and will be here to dump the content of the critical secrets! pamspy - Credentials Dumper for Linux
