DEV.co
Open-Source Security · ph4ntonn

Impost3r

Impost3r is a Linux password-theft tool written in C that captures sudo, SSH, and su credentials by injecting malicious code into shell startup files or PAM modules. It is designed for red-team and penetration-testing scenarios, exfiltrating stolen passwords via DNS or local storage.

Source: GitHub — github.com/ph4ntonn/Impost3r
663
GitHub stars
122
Forks
C
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryph4ntonn/Impost3r
Ownerph4ntonn
Primary languageC
LicenseMIT — OSI-approved
Stars663
Forks122
Open issues1
Latest releaseUnknown
Last updated2025-02-27
Sourcehttps://github.com/ph4ntonn/Impost3r

What Impost3r is

Impost3r operates in two modes: sudo-password capture (via .bashrc/.bash_profile aliasing, requiring user-level privileges) and SSH/su capture (via PAM module injection at /lib/x86_64-linux-gnu/security/, requiring root). It encodes stolen credentials and transmits them over DNS protocol (UDP port 53) or stores them locally; sudo mode auto-cleans artifacts after success.

Quickstart

Get the Impost3r source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/ph4ntonn/Impost3r.gitcd Impost3r# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Authorized Red-Team Engagements

Controlled penetration tests where engagement scope explicitly permits credential-capture simulation and DNS exfiltration is part of the assessment (e.g., testing detection of shell-profile tampering or PAM-module injection).

Security Research & Lab Isolation

Isolated lab environments to demonstrate shell-based privilege-escalation attack chains, credential-harvesting mechanics, and post-exploitation cleanup strategies for educational purposes.

Endpoint Detection & Response (EDR) Testing

Validating EDR or SIEM rules that detect suspicious .bashrc/.bash_profile modifications, PAM-module injection, or anomalous DNS queries from application processes.

Implementation considerations

  • Requires full source-code customization (paths, domains, exfiltration addresses) before compilation; no pre-built binary distribution reduces barrier to misuse but increases operational overhead.
  • Sudo-mode payload must be injected into user shell-profile files (.bashrc, .bash_profile, .profile, .bash_login) with careful ordering logic; incorrect profile-loading sequence causes silent failure.
  • SSH/su-mode requires root privileges and PAM-module placement in distro-specific paths (/lib/x86_64-linux-gnu/security/ on Ubuntu; other systems vary); testing on target OS before deployment is mandatory.
  • DNS exfiltration mode requires attacker to operate authoritative DNS server (e.g., Fdns); requires coordination between compiled binary's REMOTE_ADDRESS/REMOTE_PORT and attacker's DNS infrastructure.
  • Artifact cleanup is automatic only in sudo-mode; SSH/su-mode leaves PAM-module injection and sshd config changes in place, requiring manual forensic cleanup by attacker.

When to avoid it — and what to weigh

  • Production or Unauthorized Use — Any deployment without explicit written authorization from system owner. Unauthorized credential theft violates computer fraud and access laws in most jurisdictions; author disclaims liability.
  • No Network Segmentation or DNS Monitoring — Environments with no egress DNS filtering or threat intelligence on exfiltration channels. Modern SOC/SIEM will flag anomalous DNS queries; tool is not designed for stealth against mature security stacks.
  • Multi-User or High-Privilege Systems — Shared systems with audit logging enabled or systems running SELinux/AppArmor in enforcing mode. PAM-module injection and .bashrc tampering will trigger audit alerts; sudo-mode cleanup is incomplete in ssh/su modes.
  • No Operational Security (OpSec) Plan — If you cannot manage DNS infrastructure, DNS-exfiltration domain registration, or trace C2 infrastructure back to yourself. Tool requires attacker-controlled DNS server or domain to function; attribution risk is high.

License & commercial use

MIT License. Permits commercial use, modification, and distribution with attribution. No warranty provided. Author explicitly disclaims legal liability for misuse.

Requires careful review. MIT license permits commercial use, but tool's explicit purpose is credential theft and post-exploitation attack. Commercial deployment (e.g., security consulting, red-team services) is legally possible under MIT but incurs significant liability risk unless scope is strictly authorized in written engagement contract with customer and proper insurance is in place. Not suitable for products or SaaS platforms.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityHigh
DEV.co fitPossible
Assessment confidenceHigh
Security considerations

Tool is weaponized malware for credential theft. Deployment introduces significant host-compromise risk: (1) requires attacker to write files to writable host paths (e.g., /tmp/, /lib/), risking antivirus/HIDS detection, (2) shell-profile and PAM-module injection are artifact-heavy and logged by audit frameworks, (3) DNS exfiltration is detectable by passive network monitoring or DNS logging, (4) no obfuscation/encoding of binary or payloads beyond base-encoding of exfiltrated data. Not suitable for advanced persistent threat (APT) campaigns against mature defenders. Recommended only in fully isolated lab environments or authorized red-team assessments with comprehensive monitoring disabled per rules of engagement.

Alternatives to consider

Metasploit Framework (incognito/credential modules)

Industry-standard red-team toolkit with credential-capture modules, automated artifact cleanup, and C2 integration. Better operationalization and support, but requires Metasploit licensing for commercial use.

Covenant (SharpHandler/Grunt modules)

.NET-based C2 framework with native credential-capture and exfiltration modules. Better integration with Windows domains and logging; Linux support is lighter but present.

Custom PAM/pam_unix patching (in-house development)

Organizations can fork and customize pam_unix source for tailored credential-capture aligned with specific audit/compliance scope, avoiding third-party attribution and licensing constraints.

Software development agency

Build on Impost3r with DEV.co software developers

Impost3r is a weaponized security tool. Use only in authorized, isolated environments (lab, red-team engagement with written approval). Unauthorized deployment violates laws. Consult legal counsel and your security team before any real-world deployment.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Impost3r FAQ

Does Impost3r work against accounts with sudo privileges if the attacker does not have sudo?
Sudo-mode works with user-level privileges but only captures the current user's sudo password (not other users'). SSH/su modes require root and can capture any user's credentials; they require prior privilege escalation.
Can Impost3r exfiltrate passwords without outbound internet access?
Yes, if SAVE_OR_SEND is set to 1 (local save mode), credentials are written to a local file (e.g., /tmp/.cache) without DNS exfiltration. Attacker must then retrieve the file via separate means (e.g., SSH, SCP).
Does Impost3r evade modern EDR or SIEM solutions?
No. Shell-profile modifications, PAM-module injection, and DNS exfiltration are well-understood attack patterns detected by mature endpoint detection and network monitoring. Tool is not designed for stealth against enterprise security stacks.
Can I use Impost3r in a commercial red-team engagement?
MIT license permits commercial use, but you must obtain explicit written authorization from the system owner and include comprehensive scope/liability clauses in your engagement contract. Unauthorized use violates computer fraud laws. Insurance and legal counsel are strongly advised.

Custom software development services

Need help beyond evaluating Impost3r? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Not for Production—Authorize Before Use

Impost3r is a weaponized security tool. Use only in authorized, isolated environments (lab, red-team engagement with written approval). Unauthorized deployment violates laws. Consult legal counsel and your security team before any real-world deployment.