The article explores Linux persistence techniques by leveraging Pluggable Authentication Modules (PAM). Since Linux environments often lack traditional antivirus, attackers can exploit the ubiquitous nature of SSH and its reliance on PAM for authentication. By replacing standard PAM modules with a malicious version, a security researcher can establish a "skeleton key"—a universal password that works for all accounts regardless of legitimate password changes.
The author demonstrates the "PAM Skeleton Key" tool, a proof-of-concept that automates the process of backdooring PAM modules. This tool not only allows for persistent access via a custom password but can also capture and exfiltrate cleartext credentials to a Discord webhook. The process requires root access but provides a stealthy method for privilege escalation and lateral movement within a compromised environment while maintaining a minimal footprint.
Top comments (0)