Cred Hunting
Configuration Files
Configuration files are core of the functionality of services in Linux, so analyzing it would be very useful.
for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done
Credentials in Configuration Files
for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#";done
Databases
for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man";done
Notes
find /home/* -type f -name "*.txt" -o ! -name "*.*"
Scripts
for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share";done
Cronjobs
cat /etc/crontab
ls -la /etc/cron.*/
SSH Keys
Private Keys
grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"
Public Keys
grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1"
History
Bash
tail -n5 /home/*/.bash*
Logs
for i in $(ls /var/log/* 2>/dev/null);do GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null); if [[ $GREP ]];then echo -e "\n#### Log file: " $i; grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null;fi;done
Memory
Mimipenguin
Tool to dump the login password from the current linux user from here [LINK]
sudo python3 mimipenguin.py
Lazagne
Very good credentials extraction tool. Works for Linux and Windows and you can find it here [LINK]
sudo python3 laZagne.py all
Passwd
The /etc/passwd
file contains information about every existing user on the system and can be read by all users and services. x
in password info section means that hash is stored in shadow file
venator17:
x:
1000:
0:
carnifex17,,,:
/home/carnifex17:
/bin/bash
<username>:
<password info>:
<UID>:
<GUID>:
<Full name/comments>:
<home directory>:
<shell>:
Shadow
The /etc/shadow
file contains hashes for users.
venator17:
$y$j9T$3QSBB6CbHEu...SNIP...f8Ms:
18955:
0:
99999:
7:
:
:
:
<username>:
<encrypted password>:
<day of last change>:
<min age>:
<max age>:
<warning period>:
<inactivity period>:
<expiration date>:
<reserved field>
Hash structure is
$<type>$<salt>$<hashed>
Last updated