AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

Post Exploitation: Sniffing Logon Passwords with PAM

infonews

security

Source: Embrace The RedJune 27, 2022

Summary

This post describes a post-exploitation attack where an attacker modifies PAM (Pluggable Authentication Modules, a Unix system for controlling login behavior) to secretly capture user passwords by inserting a malicious script into the authentication pipeline. The attacker creates a bash script that logs usernames, passwords, and IP addresses whenever someone logs in, making it difficult to detect because it operates within legitimate system authentication mechanisms.

Solution / Mitigation

The source explicitly mentions three mitigation strategies: (1) 'Test EDR to catch modifications in PAM configurations (also binary patching or entirely replacing/backdooring existing ones)', (2) 'Review the PAM modules and there configuration in your environments', and (3) 'Do a purple team exercise that focuses on PAM modules and related configuration files'.

Classification

Attack SophisticationModerate

Original source: https://embracethered.com/blog/posts/2022/post-exploit-pam-ssh-password-grabbing/

First tracked: February 12, 2026 at 02:20 PM

Classified by LLM (prompt v3) · confidence: 95%