Impost3r
Impost3r is a Linux password-theft tool written in C that captures sudo, SSH, and su credentials by injecting malicious code into shell startup files or PAM modules. It is designed for red-team and penetration-testing scenarios, exfiltrating stolen passwords via DNS or local storage.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | ph4ntonn/Impost3r |
| Owner | ph4ntonn |
| Primary language | C |
| License | MIT — OSI-approved |
| Stars | 663 |
| Forks | 122 |
| Open issues | 1 |
| Latest release | Unknown |
| Last updated | 2025-02-27 |
| Source | https://github.com/ph4ntonn/Impost3r |
What Impost3r is
Impost3r operates in two modes: sudo-password capture (via .bashrc/.bash_profile aliasing, requiring user-level privileges) and SSH/su capture (via PAM module injection at /lib/x86_64-linux-gnu/security/, requiring root). It encodes stolen credentials and transmits them over DNS protocol (UDP port 53) or stores them locally; sudo mode auto-cleans artifacts after success.
Get the Impost3r source
Clone the repository and explore it locally.
git clone https://github.com/ph4ntonn/Impost3r.gitcd Impost3r# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires full source-code customization (paths, domains, exfiltration addresses) before compilation; no pre-built binary distribution reduces barrier to misuse but increases operational overhead.
- Sudo-mode payload must be injected into user shell-profile files (.bashrc, .bash_profile, .profile, .bash_login) with careful ordering logic; incorrect profile-loading sequence causes silent failure.
- SSH/su-mode requires root privileges and PAM-module placement in distro-specific paths (/lib/x86_64-linux-gnu/security/ on Ubuntu; other systems vary); testing on target OS before deployment is mandatory.
- DNS exfiltration mode requires attacker to operate authoritative DNS server (e.g., Fdns); requires coordination between compiled binary's REMOTE_ADDRESS/REMOTE_PORT and attacker's DNS infrastructure.
- Artifact cleanup is automatic only in sudo-mode; SSH/su-mode leaves PAM-module injection and sshd config changes in place, requiring manual forensic cleanup by attacker.
When to avoid it — and what to weigh
- Production or Unauthorized Use — Any deployment without explicit written authorization from system owner. Unauthorized credential theft violates computer fraud and access laws in most jurisdictions; author disclaims liability.
- No Network Segmentation or DNS Monitoring — Environments with no egress DNS filtering or threat intelligence on exfiltration channels. Modern SOC/SIEM will flag anomalous DNS queries; tool is not designed for stealth against mature security stacks.
- Multi-User or High-Privilege Systems — Shared systems with audit logging enabled or systems running SELinux/AppArmor in enforcing mode. PAM-module injection and .bashrc tampering will trigger audit alerts; sudo-mode cleanup is incomplete in ssh/su modes.
- No Operational Security (OpSec) Plan — If you cannot manage DNS infrastructure, DNS-exfiltration domain registration, or trace C2 infrastructure back to yourself. Tool requires attacker-controlled DNS server or domain to function; attribution risk is high.
License & commercial use
MIT License. Permits commercial use, modification, and distribution with attribution. No warranty provided. Author explicitly disclaims legal liability for misuse.
Requires careful review. MIT license permits commercial use, but tool's explicit purpose is credential theft and post-exploitation attack. Commercial deployment (e.g., security consulting, red-team services) is legally possible under MIT but incurs significant liability risk unless scope is strictly authorized in written engagement contract with customer and proper insurance is in place. Not suitable for products or SaaS platforms.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | High |
| DEV.co fit | Possible |
| Assessment confidence | High |
Tool is weaponized malware for credential theft. Deployment introduces significant host-compromise risk: (1) requires attacker to write files to writable host paths (e.g., /tmp/, /lib/), risking antivirus/HIDS detection, (2) shell-profile and PAM-module injection are artifact-heavy and logged by audit frameworks, (3) DNS exfiltration is detectable by passive network monitoring or DNS logging, (4) no obfuscation/encoding of binary or payloads beyond base-encoding of exfiltrated data. Not suitable for advanced persistent threat (APT) campaigns against mature defenders. Recommended only in fully isolated lab environments or authorized red-team assessments with comprehensive monitoring disabled per rules of engagement.
Alternatives to consider
Metasploit Framework (incognito/credential modules)
Industry-standard red-team toolkit with credential-capture modules, automated artifact cleanup, and C2 integration. Better operationalization and support, but requires Metasploit licensing for commercial use.
Covenant (SharpHandler/Grunt modules)
.NET-based C2 framework with native credential-capture and exfiltration modules. Better integration with Windows domains and logging; Linux support is lighter but present.
Custom PAM/pam_unix patching (in-house development)
Organizations can fork and customize pam_unix source for tailored credential-capture aligned with specific audit/compliance scope, avoiding third-party attribution and licensing constraints.
Build on Impost3r with DEV.co software developers
Impost3r is a weaponized security tool. Use only in authorized, isolated environments (lab, red-team engagement with written approval). Unauthorized deployment violates laws. Consult legal counsel and your security team before any real-world deployment.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
Impost3r FAQ
Does Impost3r work against accounts with sudo privileges if the attacker does not have sudo?
Can Impost3r exfiltrate passwords without outbound internet access?
Does Impost3r evade modern EDR or SIEM solutions?
Can I use Impost3r in a commercial red-team engagement?
Custom software development services
Need help beyond evaluating Impost3r? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.
Not for Production—Authorize Before Use
Impost3r is a weaponized security tool. Use only in authorized, isolated environments (lab, red-team engagement with written approval). Unauthorized deployment violates laws. Consult legal counsel and your security team before any real-world deployment.