Intro to PAMSkeletonKey for Persistence w/ Ben Bowman

Description

How does PAM abuse fit into a real‑world attack chain?

🛝 Webcast Slides
https://www.blackhillsinfosec.com/wp-content/uploads/2026/04/PAM_Tool_Slide_Deck.pdf

Join us for a free one‑hour BHIS webinar with Ben Bowman as he introduces PAMSkeletonKey, a tool designed for red teamers and CTF players to explore persistence, lateral movement, and privilege escalation on Linux systems.

Ben will teach why the tool was created, how to use it safely in lab environments, and what this technique means for defenders working to detect or prevent authentication abuse.

You'll learn a practical understanding of Linux PAM (Pluggable Authentication Modules) authentication and how it can be abused to create a skeleton‑key backdoor for persistence.

Get started with PAMSkeletonKey: https://github.com/her3ticAVI/PAMSkeletonKey

Chapters

(00:00) - Intro – 2026-04-02 Intro to PAMSkeletonKey for Persistence - Ben Bowman
(01:33) - What I Don't Know
(02:14) - Remember Mimikatz? Me neither.
(03:59) - What is PAM?
(04:43) - PAM Architecture Deep Dive
(06:54) - PAM Module Types
(08:25) - How PAM Authentication Works
(12:18) - What does this tell us?
(13:44) - What Code Changes Do We Make?
(17:28) - Pivoting & Attack Scenarios
(18:57) - The Topic of Stolen Valor
(21:14) - The Improvements
(25:50) - Demo Time
(41:57) - References
(45:39) - Q&A
(59:00) - Antisyphon Training's New LMS Walk Through

Creators & Guests