Linux Local Password Attacks

Overview of Credential Hunting

Credential hunting is a critical phase in penetration testing and privilege escalation, involving systematic exploration of various system sources to uncover sensitive authentication information.

Key Credential Sources

1. File-based Credential Sources

  • Configuration files

  • Databases

  • Notes and scripts

  • Cronjobs

  • SSH Keys

2. Historical Information Sources

  • Command history

  • Bash-related files

  • Log files

3. Memory and Credential Storage

  • System memory

  • Browser credentials

  • Keyrings

Systematic Credential Extraction Methodology

1. Configuration Files Reconnaissance

  • Command for Scanning Configuration Files:

    for l in $(echo ".conf .config .cnf");do 
  echo -e "\nFile extension: " $l; 
  find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core"
done

  • Key Search Strategies:

    • Look for files with .conf, .config, .cnf extensions

    • Use grep to search for keywords: user, password, pass

    • Exclude unnecessary system directories

2. Database File Discovery

  • Command for Database File Hunting:

    for l in $(echo ".sql .db .*db .db*");do 
  echo -e "\nDB File extension: " $l; 
  find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man"
done

  • Focus Areas:

    • SQL databases

    • .db files

    • Hidden database files

3. SSH Key Exploration

  • Private Key Search:

    grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"

  • Public Key Search:

    grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1"

4. Comprehensive Log Analysis

  • Log File Scanning Command:

    for i in $(ls /var/log/* 2>/dev/null);do 
  GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null)
  if [[ $GREP ]];then 
    echo -e "\n#### Log file: " $i
    grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null
  fi
done

Credential Extraction Tools

1. MimiPenguin

  • Purpose: Memory credential extraction

  • Usage:

    sudo python3 mimipenguin.py
sudo bash mimipenguin.sh

2. LaZagne

  • Comprehensive Credential Extraction

  • Command:

    sudo python2.7 laZagne.py all

  • Supports Extraction From:

    • WiFi

    • Browsers

    • SSH

    • Keyrings

    • Multiple other sources

3. Firefox Decrypt

  • Usage:

    python3.9 firefox_decrypt.py

Password Cracking Workflow

1. Hash Extraction

  • Use unshadow to combine /etc/passwd and /etc/shadow files

    sudo cp /etc/passwd /tmp/passwd.bak
sudo cp /etc/shadow /tmp/shadow.bak
unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes

2. Hashcat Cracking Techniques

  • SHA-512 Hash Cracking:

    hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked

  • MD5 Hash Cracking:

    hashcat -m 500 -a 0 md5-hashes.list rockyou.txt

3. John Cracking Techniques

  • SHA-512 Hash Cracking:

    john --wordlist=rockyou.txt --format=sha512crypt /tmp/unshadowed.hashes

Critical Recommendations

  • Always adapt your approach to the specific system environment

  • Understand the system's purpose and network role

  • Be systematic and thorough in your search

  • Respect legal and ethical boundaries during penetration testing

Useful Log Locations

  • /var/log/messages

  • /var/log/syslog

  • /var/log/auth.log

  • /var/log/secure

  • /var/log/faillog

Tool Links

  • MimiPenguin: https://github.com/huntergregal/mimipenguin

  • LaZagne: https://github.com/AlessandroZ/LaZagne

  • Firefox Decrypt: https://github.com/unode/firefox_decrypt

PreviousWindows Local Password AttacksNextWindows Lateral Movement