Offensive BPF: Using bpftrace to sniff PAM logon passwords

This post demonstrates how attackers can use eBPF (extended Berkeley Packet Filter, a technology that lets programs run safely inside the Linux kernel) and bpftrace (a tool for tracing system events) to intercept and steal PAM (Pluggable Authentication Modules, the system that handles login authentication) passwords when users log in. The technique works similarly to a backdoor PAM module but uses eBPF instead, highlighting emerging security risks from new kernel-level attack tools.