Linux Local Password Attacks

Overview of Credential Hunting

Credential hunting is a critical phase in penetration testing and privilege escalation, involving systematic exploration of various system sources to uncover sensitive authentication information.

Key Credential Sources

1. File-based Credential Sources

Configuration files
Databases
Notes and scripts
Cronjobs
SSH Keys

2. Historical Information Sources

Command history
Bash-related files
Log files

3. Memory and Credential Storage

System memory
Browser credentials
Keyrings

Systematic Credential Extraction Methodology

1. Configuration Files Reconnaissance

Command for Scanning Configuration Files:

for l in $(echo ".conf .config .cnf");do 
  echo -e "\nFile extension: " $l; 
  find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core"
done

Key Search Strategies:
- Look for files with .conf, .config, .cnf extensions
- Use grep to search for keywords: user, password, pass
- Exclude unnecessary system directories

2. Database File Discovery

Command for Database File Hunting:

for l in $(echo ".sql .db .*db .db*");do 
  echo -e "\nDB File extension: " $l; 
  find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man"
done

Focus Areas:
- SQL databases
- .db files
- Hidden database files

3. SSH Key Exploration

Private Key Search:

grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"

Public Key Search:

grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1"

4. Comprehensive Log Analysis

Log File Scanning Command:

for i in $(ls /var/log/* 2>/dev/null);do 
  GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null)
  if [[ $GREP ]];then 
    echo -e "\n#### Log file: " $i
    grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null
  fi
done

Credential Extraction Tools

1. MimiPenguin

Purpose: Memory credential extraction

Usage:

sudo python3 mimipenguin.py
sudo bash mimipenguin.sh

2. LaZagne

Comprehensive Credential Extraction
Command:
```
sudo python2.7 laZagne.py all
```
Supports Extraction From:
- WiFi
- Browsers
- SSH
- Keyrings
- Multiple other sources

3. Firefox Decrypt

Usage:
```
python3.9 firefox_decrypt.py
```

Password Cracking Workflow

1. Hash Extraction

Use unshadow to combine /etc/passwd and /etc/shadow files

sudo cp /etc/passwd /tmp/passwd.bak
sudo cp /etc/shadow /tmp/shadow.bak
unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes

2. Hashcat Cracking Techniques

SHA-512 Hash Cracking:

hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked

MD5 Hash Cracking:

hashcat -m 500 -a 0 md5-hashes.list rockyou.txt

3. John Cracking Techniques

SHA-512 Hash Cracking:

john --wordlist=rockyou.txt --format=sha512crypt /tmp/unshadowed.hashes

Critical Recommendations

Always adapt your approach to the specific system environment
Understand the system's purpose and network role
Be systematic and thorough in your search
Respect legal and ethical boundaries during penetration testing

Useful Log Locations

/var/log/messages
/var/log/syslog
/var/log/auth.log
/var/log/secure
/var/log/faillog

Tool Links

MimiPenguin: https://github.com/huntergregal/mimipenguin
LaZagne: https://github.com/AlessandroZ/LaZagne
Firefox Decrypt: https://github.com/unode/firefox_decrypt

PreviousWindows Local Password Attacks NextWindows Lateral Movement

hashtagOverview of Credential Hunting

hashtagKey Credential Sources

hashtag1. File-based Credential Sources

hashtag2. Historical Information Sources

hashtag3. Memory and Credential Storage

hashtagSystematic Credential Extraction Methodology

hashtag1. Configuration Files Reconnaissance

hashtag2. Database File Discovery

hashtag3. SSH Key Exploration

hashtag4. Comprehensive Log Analysis

hashtagCredential Extraction Tools

hashtag1. MimiPenguin

hashtag2. LaZagne

hashtag3. Firefox Decrypt

hashtagPassword Cracking Workflow

hashtag1. Hash Extraction

hashtag2. Hashcat Cracking Techniques

hashtag3. John Cracking Techniques

hashtagCritical Recommendations

hashtagUseful Log Locations

hashtagTool Links