Hawk

Hawk is a lightweight Golang tool designed to monitor the sshd, sudo and su services for passwords on Linux systems. It reads the content of the proc directory to capture events, and ptrace to trace syscalls related to password-based authentication.

Blog Post

https://www.prodefense.io/blog/hawks-prey-snatching-ssh-credentials

Features

Monitors SSH, SUDO and SU commands for passwords
Reads memory from sshd, sudo and sudo syscalls without writing to traced processes
Exfiltrates passwords via HTTP/S requests to a specified web server
Inspired by 3snake

Build

GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o hawk

Usage

Adjust the HTTP Server location in the main.go file.
Build Hawk using the provided command.
Run Hawk with ./hawk.

Limitations

Linux systems with ptrace enabled
/proc filesystem must be mounted

Disclaimer

This tool is intended for ethical and educational purposes only. Unauthorized use is prohibited. Use at your own risk.

Credits

Hawk is inspired by the work of blendin and their tool 3snake.

Name		Name	Last commit message	Last commit date
Latest commit History 64 Commits
.gitignore		.gitignore
README.md		README.md
go.mod		go.mod
helpers.go		helpers.go
main.go		main.go
ssh_tracer.go		ssh_tracer.go
su_tracer.go		su_tracer.go
sudo_tracer.go		sudo_tracer.go

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

.gitignore

.gitignore

README.md

README.md

go.mod

go.mod

helpers.go

helpers.go

main.go

main.go

ssh_tracer.go

ssh_tracer.go

su_tracer.go

su_tracer.go

sudo_tracer.go

sudo_tracer.go

Repository files navigation

Hawk

Blog Post

Features

Build

Usage

Limitations

Disclaimer

Credits

About

Releases

Languages

ProDefense/Hawk

Folders and files

Latest commit

History

Repository files navigation

Hawk

Blog Post

Features

Build

Usage

Limitations

Disclaimer

Credits

About

Topics

Resources

Stars

Watchers

Forks

Languages