Cred Hunting
7/27/2025, 8:30:00 PM7/27/2025, 8:30:00 PMConfiguration Files
Configuration files are core of the functionality of services in Linux, so analyzing it would be very useful.
for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;doneCredentials in Configuration Files
for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#";doneDatabases
for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man";doneNotes
find /home/* -type f -name "*.txt" -o ! -name "*.*"Scripts
for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share";doneCronjobs
SSH Keys
Private Keys
Public Keys
History
Bash
Logs
Memory
Mimipenguin
Tool to dump the login password from the current linux user from here [LINK]
Lazagne
Very good credentials extraction tool. Works for Linux and Windows and you can find it here [LINK]
Passwd
The /etc/passwd file contains information about every existing user on the system and can be read by all users and services. x in password info section means that hash is stored in shadow file
rio:
x:
1000:
0:
carnifex17,,,:
/home/rio:
/bin/bash
<username>:
<password info>:
<UID>:
<GUID>:
<Full name/comments>:
<home directory>:
<shell>:
Shadow
The /etc/shadow file contains hashes for users.
rio
$y$j9T$3QSBB6CbHEu...SNIP...f8Ms:
18955:
0:
99999:
7:
:
:
:
<username>:
<encrypted password>:
<day of last change>:
<min age>:
<max age>:
<warning period>:
<inactivity period>:
<expiration date>:
<reserved field>
Hash structure is
$<type>$<salt>$<hashed>
Last updated