Pspy – Monitor Linux Processes Without Root Permissions

Pspy – Monitor Linux Processes Without Root Permissions

pspy is a command line device designed to eavesdrop on processes with out want for root permissions. It means that you can see instructions run by different customers, cron jobs, and many others. as they execute. Great for enumeration of Linux techniques in CTFs. Also nice to display your colleagues why passing secrets and techniques as arguments on the command line is a nasty concept.

The device gathers it is data from procfs scans. Inotify watchers positioned on chosen elements of the file system set off these scans to catch quick-lived processes.

Getting began
Get the device onto the Linux machine you wish to examine. First get the binaries.
You can construct them your self by working make construct-construct-picture to construct a docker picture utilized in make construct to construct 4 binaries:

  • 32 bit huge, static model: pspy32
  • 64 bit huge, static model: pspy64
  • 32 bit small model: pspy32s
  • 64 bit small model: pspy64s The statically compiled recordsdata ought to work on any Linux system however are fairly large (~4MB). If dimension is a matter, attempt the smaller variations which depend upon libc and are compressed with UPX (<1MB).

You can run pspy --help to study concerning the flags and their that means. The abstract is as follows:

  • -p: allows printing instructions to stdout (enabled by default)
  • -f: allows printing file system occasions to stdout (disabled by default)
  • -r: record of directories to look at with Inotify. pspy will watch all subdirectories recursively (by default, watches /usr, /tmp, /and many others, /dwelling, /var, and /choose).
  • -d: record of directories to look at with Inotify. pspy will watch these directories solely, not the subdirectories (empty by default).
  • -i: interval in milliseconds between procfs scans. pspy scans often for brand new processes no matter Inotify occasions, simply in case some occasions will not be obtained.
  • -c: print occasions in numerous colours. Red for brand new processes, inexperienced for brand new Inotify occasions.

The default settings ought to be effective for many purposes. Watching recordsdata inside /usr is most vital since many instruments will entry libraries inside it.
Some extra advanced examples:

# print each instructions and file system occasions and scan procfs each 1000 ms (=1sec)
./pspy64 -pf -i 1000 

# place watchers recursively in two directories and non-recursively into a 3rd
./pspy64 -r /path/to/first/recursive/dir -r /path/to/second/recursive/dir -d /path/to/the/non-recursive/dir

# disable printing found instructions however allow file system occasions
./pspy64 -p=false -f


Cron job watching
To see the device in motion, simply clone the repo and run make instance (Docker wanted). It is thought passing passwords as command line arguments will not be secure, and the instance can be utilized to display it. The command begins a Debian container through which a secret cron job, run by root, adjustments a consumer password each minute. pspy run in foreground, as consumer myuser, and scans for processes. You ought to see output much like this:

~/pspy (grasp) $ make instance
docker run -it --rm native/pspy-instance:newest
[+] cron began
[+] Running as consumer uid=1000(myuser) gid=1000(myuser) teams=1000(myuser),27(sudo)
[+] Starting pspy now...
Watching recursively    : [/usr /tmp /etc /home /var /opt] (6)
Watching non-recursively: [] (0)
Printing: processes=true file-system occasions=false
2018/02/18 21:00:03 Inotify watcher restrict: 524288 (/proc/sys/fs/inotify/max_user_watches)
2018/02/18 21:00:03 Inotify watchers arrange: Watching 1030 directories - watching now
2018/02/18 21:00:03 CMD: UID=0    PID=9      | cron -f
2018/02/18 21:00:03 CMD: UID=0    PID=7      | sudo cron -f
2018/02/18 21:00:03 CMD: UID=1000 PID=14     | pspy
2018/02/18 21:00:03 CMD: UID=1000 PID=1      | /bin/bash /
2018/02/18 21:01:01 CMD: UID=0    PID=20     | CRON -f
2018/02/18 21:01:01 CMD: UID=0    PID=21     | CRON -f
2018/02/18 21:01:01 CMD: UID=0    PID=22     | python3 /root/scripts/
2018/02/18 21:01:01 CMD: UID=0    PID=25     |
2018/02/18 21:01:01 CMD: UID=???  PID=24     | ???
2018/02/18 21:01:01 CMD: UID=0    PID=23     | /bin/sh -c /bin/echo -e "KI5PZQ2ZPWQXJKELnKI5PZQ2ZPWQXJKEL" | passwd myuser
2018/02/18 21:01:01 CMD: UID=0    PID=26     | /usr/sbin/sendmail -i -FCronDaemon -B8BITMIME -oem root
2018/02/18 21:01:01 CMD: UID=101  PID=27     |
2018/02/18 21:01:01 CMD: UID=8    PID=28     | /usr/sbin/exim4 -Mc 1enW4z-00000Q-Mk

First, pspy prints all presently working processes, every with PID, UID and the command line. When pspy detects a brand new course of, it provides a line to this log. In this instance, you discover a course of with PID 23 which appears to alter the password of myuser. This is the results of a Python script utilized in roots personal crontab /var/spool/cron/crontabs/root, which executes this shell command (test crontab and script). Note that myuser can neither see the crontab nor the Python script. With pspy, it may possibly see the instructions however.

CTF instance from Hack The Box
Below is an instance from the machine Shrek from Hack The Box. In this CTF problem, the duty is to take advantage of a hidden cron job that is altering possession of all recordsdata in a folder. The vulnerability is the insecure use of a wildcard along with chmod (details for the reader). It requires substantial guesswork to search out and exploit it. With pspy although, the cron job is simple to search out and analyse:

How it really works
Tools exist to record all processes executed on Linux techniques, together with people who have completed. For occasion there may be forkstat. It receives notifications from the kernel on course of-associated occasions comparable to fork and exec.
These instruments require root privileges, however that ought to not provide you with a false sense of safety. Nothing stops you from snooping on the processes working on a Linux system. Loads of data is seen in procfs so long as a course of is working. The solely downside is it’s a must to catch quick-lived processes within the very quick time span through which they’re alive. Scanning the /proc listing for brand new PIDs in an infinite loop does the trick however consumes a variety of CPU.
A stealthier method is to make use of the next trick. Process are likely to entry recordsdata comparable to libraries in /usr, non permanent recordsdata in /tmp, log recordsdata in /var, … Using the inotify API, you will get notifications at any time when these recordsdata are created, modified, deleted, accessed, and many others. Linux doesn’t require priviledged customers for this API since it’s wanted for a lot of harmless purposes (comparable to textual content editors exhibiting you an up-to-date file explorer). Thus, whereas non-root customers can not monitor processes instantly, they will monitor the consequences of processes on the file system.
We can use the file system occasions as a set off to scan /proc, hoping that we will do it quick sufficient to catch the processes. This is what pspy does. There is not any assure you will not miss one, however probabilities appear to be good in my experiments. In basic, the longer the processes run, the larger the prospect of catching them is.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.