Skip to content
/ Hawk Public

Golang tool designed to exfiltrate passwords found via the sshd and su services

4 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ProDefense/Hawk

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

64 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
helpers.go
helpers.go
 
 
main.go
main.go
 
 
ssh_tracer.go
ssh_tracer.go
 
 
su_tracer.go
su_tracer.go
 
 
sudo_tracer.go
sudo_tracer.go
 
 

Repository files navigation



Hawk

Hawk is a lightweight Golang tool designed to monitor the sshd, sudo and su services for passwords on Linux systems. It reads the content of the proc directory to capture events, and ptrace to trace syscalls related to password-based authentication.

Blog Post

https://www.prodefense.io/blog/hawks-prey-snatching-ssh-credentials

Features

  • Monitors SSH, SUDO and SU commands for passwords
  • Reads memory from sshd, sudo and sudo syscalls without writing to traced processes
  • Exfiltrates passwords via HTTP/S requests to a specified web server
  • Inspired by 3snake

Build

GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o hawk

Usage

  1. Adjust the HTTP Server location in the main.go file.
  2. Build Hawk using the provided command.
  3. Run Hawk with ./hawk.

Limitations

  • Linux systems with ptrace enabled
  • /proc filesystem must be mounted

Disclaimer

This tool is intended for ethical and educational purposes only. Unauthorized use is prohibited. Use at your own risk.

Credits

Hawk is inspired by the work of blendin and their tool 3snake.

About

Golang tool designed to exfiltrate passwords found via the sshd and su services

Topics

golang persistence hacking sshd penetration-testing information-security ccdc linux-persistence

Resources

Readme
Activity
Custom properties

Stars

4 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Languages