Cred Hunting

Configuration Files

Configuration files are core of the functionality of services in Linux, so analyzing it would be very useful.

for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

Credentials in Configuration Files

for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#";done

Databases

for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man";done

Notes

find /home/* -type f -name "*.txt" -o ! -name "*.*"

Scripts

for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share";done

Cronjobs

cat /etc/crontab

 ls -la /etc/cron.*/

SSH Keys

Private Keys

grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"

Public Keys

grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1"

History

Bash

tail -n5 /home/*/.bash*

Logs

for i in $(ls /var/log/* 2>/dev/null);do GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null); if [[ $GREP ]];then echo -e "\n#### Log file: " $i; grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null;fi;done

Memory

Mimipenguin

sudo python3 mimipenguin.py

Lazagne

sudo python3 laZagne.py all

Passwd

The /etc/passwd file contains information about every existing user on the system and can be read by all users and services. x in password info section means that hash is stored in shadow file

venator17:

x:

1000:

0:

carnifex17,,,:

/home/carnifex17:

/bin/bash

<username>:

<password info>:

<UID>:

<GUID>:

<Full name/comments>:

<home directory>:

<shell>:

Shadow

The /etc/shadow file contains hashes for users.

venator17:

$y$j9T$3QSBB6CbHEu...SNIP...f8Ms:

18955:

0:

99999:

7:

:

<username>:

<encrypted password>:

<day of last change>:

<min age>:

<max age>:

<warning period>:

<inactivity period>:

<expiration date>:

<reserved field>

Hash structure is $<type>$<salt>$<hashed>

PreviousPost-Exploitation NextPivoting

Configuration Files

Configuration files are core of the functionality of services in Linux, so analyzing it would be very useful.

for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

Credentials in Configuration Files

for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#";done

History

Bash

tail -n5 /home/*/.bash*

Logs

for i in $(ls /var/log/* 2>/dev/null);do GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null); if [[ $GREP ]];then echo -e "\n#### Log file: " $i; grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null;fi;done

Passwd

The /etc/passwd file contains information about every existing user on the system and can be read by all users and services. x in password info section means that hash is stored in shadow file

venator17:

x:

1000:

0:

carnifex17,,,:

/home/carnifex17:

/bin/bash

<username>:

<password info>:

<UID>:

<GUID>:

<Full name/comments>:

<home directory>:

<shell>: