# Linux Password Hunting ### Config Files Search {% code overflow="wrap" %} ```bash for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done ``` {% endcode %} ### Credentials in Configuration Files {% code overflow="wrap" %} ```bash for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#";done ``` {% endcode %} ### Database Backup Search {% code overflow="wrap" %} ```bash for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man";done ``` {% endcode %} ### Search Notes/txt Files {% code overflow="wrap" %} ```bash find /home/* -type f -name "*.txt" ``` {% endcode %} ### Search Scripts on Linux {% code overflow="wrap" %} ```bash for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share";done ``` {% endcode %} ### Search Cronjob {% code overflow="wrap" %} ```bash cat /etc/crontab ls -la /etc/cron.*/ ``` {% endcode %} ### Search SSH Private Key {% code overflow="wrap" %} ```bash grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1" grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1" ``` {% endcode %} ### File History {% code overflow="wrap" %} ```bash find / -type f -name "*history" 2>/dev/null tail -n5 /home/*/.*_history* ``` {% endcode %} ### Search Password in PHP Files {% code overflow="wrap" %} ```bash grep -iRl "password\|passwd" /var/www --include=*.php ``` {% endcode %} ### Cracking Linux Credentials {% code overflow="wrap" %} ```bash # unshadow local creds unshadow passwd.bak shadow.bak > unshadow.txt # Perform Dictionary Attack hashcat -m 1800 -a 0 unshadow.txt /usr/share/wordlists/rockyou.txt -o cracked_shadow ``` {% endcode %} Take a look at the unshadow\.txt file. The field after the username (with a number or letter between two dollar signs) is the one that identifies the hash type used. It could be one of the following: 1. **$1$** is MD5 2. **$2a$** is Blowfish 3. **$2y$** is Blowfish 4. **$5$** is SHA-256 5. **$6$** is SHA-512 6. **$y$** is yescrypt For **$y$**, for example, you can use the command: {% code overflow="wrap" %} ```bash john --format=crypt --wordlist=/usr/share/wordlists/rockyou.txt unshadow.txt ``` {% endcode %} ### Tools * * * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://htb.linuxsec.org/linux/linux-password-hunting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.