Post Exploitationprocessmonitoringenumerationcronlinuxctf

pspy

pspy is a command line tool that monitors Linux processes without requiring root permissions. It reveals commands run by other users, cron jobs, and process activities in real-time.

Description

pspy is designed to snoop on processes without the need for root permissions, making it ideal for enumeration during Capture The Flag (CTF) challenges and security assessments. The tool captures real-time process execution, including commands executed by other users and scheduled cron jobs as they run. This visibility helps identify system activities that might otherwise remain hidden.

A key use case for pspy is demonstrating poor security practices, such as passing secrets as command line arguments, which become visible to anyone running the tool. It's particularly valuable in environments where limited privileges restrict traditional monitoring tools. By observing process creation and file system events, users can map out system behavior and potential attack vectors.

The tool operates stealthily without elevated access, providing insights into dynamic system operations. It's also useful for educational purposes, showing colleagues the risks of insecure command line practices.

How It Works

pspy periodically scans for new processes at configurable intervals (default 100ms) and monitors specified directories for activity. It leverages Linux system calls and file system event polling to detect process creation without root access. Features include printing process events, file system events, and optionally recording parent process IDs (PPIDs). Color-coded output and debug modes enhance usability for detailed analysis.

Installation

bash
sudo apt install pspy

Flags

-c, --colorcolor the printed events (default true)
--debugprint detailed error messages
-d, --dirswatch these dirs
-f, --fseventsprint file system events to stdout
-h, --helphelp for pspy
-i, --intervalscan every 'interval' milliseconds for new processes (default 100)
--ppidrecord process ppids
-p, --proceventsprint new processes to stdout (default true)

Examples

Display help and usage information for pspy
pspy -h
Monitor processes with default settings (procevents enabled, 100ms interval, colored output)
pspy
Run pspy without printing new process events to stdout
pspy -p=false
Scan for new processes every 500 milliseconds
pspy -i 500
Print file system events to stdout while monitoring processes
pspy -f
Monitor processes and record parent process IDs
pspy --ppid
Monitor processes without colored output
pspy -c=false
Run with detailed error messages for troubleshooting
pspy --debug
Updated 2026-04-16kali.org ↗