📒
My Pentesting Cheatsheet
  • Home
  • Commands Only Summary
    • Some other cool websites
  • Preparation
    • Documents
    • Contract - Checklist
    • Rules of Engagement - Checklist
    • Contractors Agreement - Checklist for Physical Assessments
  • Information Gathering
  • Vulnerability Assessment
  • Pentesting Machine
  • Enumeration
    • NMAP Scan types explained
    • Firewall and IDS/IPS Evasion
  • Footprinting
    • Google Dorks
    • Samba (smb)
    • NFS
    • DNS
    • SMTP
    • IMAP/POP3
    • SNMP
    • MySQL
    • MSSQL
    • Oracle TNS
    • IPMI
    • SSH
    • RDP
    • WinRM
  • Web Information Gathering
    • Whois
    • DNS & Subdomains
    • Fingerprinting
    • Crawlers
    • Search Engine Discovery
    • Automating Recon
  • Vulnerability Assessment
  • File Transfers
    • Windows Target
    • Linux Target
    • Transferring Files with Code
    • Miscellaneous File Transfer Methods
    • Protected Files Transfer
    • Catching Files over HTTP/S (Nginx)
    • Living Off The Land
    • Evading Detection
  • Shells & Payloads
    • Reverse Shells + Bind + Web
  • Password Attacks
    • John the ripper
    • Remote password attacks
    • Password mutations
    • Password Reuse / Default Passwords
    • Windows Local Password Attacks
    • Linux Local Password Attacks
    • Windows Lateral Movement
    • Cracking Files
  • Attacking Common Services
    • FTP
    • SMB
    • SQL
    • RDP
    • DNS
    • Email Services
  • Pivoting, Tunneling, and Port Forwarding
    • Choosing The Dig Site & Starting Our Tunnels
    • Playing Pong with Socat
    • Pivoting Around Obstacles
    • Branching Out Our Tunnels
    • Double Pivots
    • Final considerations
  • Active Directory Enumeration & Attacks
    • Initial Enumeration
    • Sniffing out a Foothold
    • Sighting In, Hunting For A User
    • Spray Responsibly
    • Deeper Down the Rabbit Hole
    • Kerberoasting - Cooking with Fire
    • Access Control List (ACL)
    • Advanced Privilege Escalation in Active Directory: Stacking The Deck
    • Domain trusts
    • Domain Trusts - Cross Forest
    • Defensive Considerations
  • Using Web Proxies
  • Login Brute Forcing
  • SQL Injection Fundamentals
    • Mitigating SQL Injection
  • SQLMap Essentials
    • Building Attacks
    • Database Enumeration
    • Advanced SQLMap Usage
  • Cross-Site Scripting (XSS)
    • Prevention
  • File Inclusion
  • File Upload Attacks
    • Basic Exploitation
    • Bypassing Filters
    • Other Upload Attacks
    • Prevention
  • Command Injections
    • Exploitation
    • Filter Evasion
  • Web Attacks
    • HTTP Verb Tampering
    • Insecure Direct Object References (IDOR)
    • XML External Entity (XXE) Injection
    • GraphQL
  • Attacking Common Applications
    • Application Discovery & Enumeration
    • Content Management Systems (CMS)
    • Servlet Containers/Software Development
    • Infrastructure/Network Monitoring Tools
    • Customer Service Mgmt & Configuration Management
    • Common Gateway Interfaces
    • Thick Client Applications
    • Miscellaneous Applications
  • Privilege Escalation
    • Linux Privilege Escalation
      • Information Gathering
      • Environment-based Privilege Escalation
      • Service-based Privilege Escalation
      • Linux Internals-based Privilege Escalation
      • Recent 0-Days
      • Linux Hardening
    • Windows Privilege Escalation
      • Getting the Lay of the Land
      • Windows User Privileges
      • Windows Group Privileges
      • Attacking the OS
      • Credential Theft
      • Restricted Environments
      • Additional Techniques
      • Dealing with End of Life Systems
      • Windows Hardening
    • Windows (old page)
  • Documentation & Reporting
    • Preparation
    • Reporting
  • Attacking Enterprise Networks
    • Pre-Engagement
    • External Testing
    • Internal Testing
    • Lateral Movement & Privilege Escalation
    • Wrapping Up
  • Deobfuscation
  • Metasploit
    • msfvenom
  • Custom compiled files
  • XSS
  • Azure AD (Entra ID)
Powered by GitBook
On this page
  • Credential Hunting in Linux
  • Files
  • History
  • Logs
  • Memory and Cache
  • Browsers
  • Passwd, Shadow & Opasswd
  • /etc/passwd
  • /etc/shadow
  • Opasswd
  • Cracking Linux Credentials
  1. Password Attacks

Linux Local Password Attacks

Credential Hunting in Linux

Hunting for credentials is one of the first steps once we have access to the system. These low-hanging fruits can give us elevated privileges within seconds or minutes. Among other things, this is part of the local privilege escalation process that we will cover here. However, it is important to note here that we are far from covering all possible situations and therefore focus on the different approaches.

Common sources of credentials:

Files

History

Memory

Key-Rings

Configs

Logs

Cache

Browser stored credentials

Databases

Command-line History

In-memory Processing

Notes

Scripts

Source codes

Cronjobs

SSH Keys

Files

We should look for, find, and inspect several categories of files one by one. These categories are the following:

Configuration files
Databases
Notes

Scripts

Cronjobs

SSH keys

There are many methods to find these configuration files, and with the following method, we will see we have reduced our search to these three file extensions.

for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

In this example, we search for three words (user, password, pass) in each file with the file extension .cnf.

for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#";done

We can apply this simple search to the other file extensions as well. Additionally, we can apply this search type to databases stored in files with different file extensions, and we can then read those.

for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man";done

Sometimes there's notes taken by the administrators or users in generic files with arbitrary extensions, commonly .txt or no extension at all

find /home/* -type f -name "*.txt" -o ! -name "*.*"

Scripts are files that often contain highly sensitive information and processes. Among other things, these also contain credentials that are necessary to be able to call up and execute the processes automatically. Otherwise, the administrator or developer would have to enter the corresponding password each time the script or the compiled program is called.

for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share";done

Cronjobs

cat /etc/crontab
ls -la /etc/cron.*/

SSH Keys

Private keys

grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"

Public keys

grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1"

History

In the history of the commands entered on Linux distributions that use Bash as a standard shell, we find the associated files in .bash_history. Nevertheless, other files like .bashrc or .bash_profile can contain important information.

tail -n5 /home/*/.bash*

Logs

Application Logs

Event Logs

Service Logs

System Logs

Log File

Description

/var/log/messages

Generic system activity logs.

/var/log/syslog

Generic system activity logs.

/var/log/auth.log

(Debian) All authentication related logs.

/var/log/secure

(RedHat/CentOS) All authentication related logs.

/var/log/boot.log

Booting information.

/var/log/dmesg

Hardware and drivers related information and logs.

/var/log/kern.log

Kernel related warnings, errors and logs.

/var/log/faillog

Failed login attempts.

/var/log/cron

Information related to cron jobs.

/var/log/mail.log

All mail server related logs.

/var/log/httpd

All Apache related logs.

/var/log/mysqld.log

All MySQL server related logs.

SOME checks on those files:

for i in $(ls /var/log/* 2>/dev/null);do GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null); if [[ $GREP ]];then echo -e "\n#### Log file: " $i; grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null;fi;done

Memory and Cache

Many applications and processes work with credentials needed for authentication and store them either in memory or in files so that they can be reused.

sudo python3 mimipenguin.py
sudo bash mimipenguin.sh

This tool allows us to access far more resources and extract the credentials. The passwords and hashes we can obtain come from the following sources but are not limited to:

Wifi
Wpa_supplicant
Libsecret
Kwallet

Chromium-based

CLI

Mozilla

Thunderbird

Git

Env_variable

Grub

Fstab

AWS

Filezilla

Gftp

SSH

Apache

Shadow

Docker

KeePass

Mimipy

Sessions

Keyrings

sudo python2.7 laZagne.py all

Browsers

Browsers store the passwords saved by the user in an encrypted form locally on the system to be reused. For example, the Mozilla Firefox browser stores the credentials encrypted in a hidden folder for the respective user. These often include the associated field names, URLs, and other valuable information.

python3.9 firefox_decrypt.py

Alternatively, LaZagne can also return results if the user has used the supported browser.

python3 laZagne.py browsers

Passwd, Shadow & Opasswd

The standard files that are read, managed, and updated are /etc/passwd and /etc/shadow. PAM also has many other service modules, such as LDAP, mount, or Kerberos.

/etc/passwd

It can also be that the /etc/passwd file is writeable by mistake. This would allow us to clear this field for the user root so that the password info field is empty. This will cause the system not to send a password prompt when a user tries to log in as root.

root:x:0:0:root:/root:/bin/bash

# INTO

root::0:0:root:/root:/bin/bash

/etc/shadow

cry0l1t3

:

$6$wBRzy$...SNIP...x9cDWUxW1

:

18937

:

0

:

99999

:

7

:

:

:

Username

Encrypted password

Last PW change

Min. PW age

Max. PW age

Warning period

Inactivity period

Expiration date

Unused

If the password field contains a character, such as ! or *, the user cannot log in with a Unix password. However, other authentication methods for logging in, such as Kerberos or key-based authentication, can still be used.

The same case applies if the encrypted password field is empty. This means that no password is required for the login.

However, it can lead to specific programs denying access to functions. The encrypted password also has a particular format by which we can also find out some information:

  • $<type>$<salt>$<hashed>

As we can see here, the encrypted passwords are divided into three parts. The types of encryption allow us to distinguish between the following:

Algorithm Types

  • $1$ – MD5

  • $2a$ – Blowfish

  • $2y$ – Eksblowfish

  • $5$ – SHA-256

  • $6$ – SHA-512

Opasswd

The PAM library (pam_unix.so) can prevent reusing old passwords. The file where old passwords are stored is the /etc/security/opasswd.

Administrator/root permissions are also required to read the file if the permissions for this file have not been changed manually.

Cracking Linux Credentials

unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes
hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked

or to crack md5 hashes (just the hashes in a list):

hashcat -m 500 -a 0 md5-hashes.list rockyou.txt

PreviousWindows Local Password AttacksNextWindows Lateral Movement

Last updated 6 months ago

For example, it may be the system-required credentials for the logged-in users. Another example is the credentials stored in the browsers, which can also be read. In order to retrieve this type of information from Linux distributions, there is a tool called that makes the whole process easier. However, this tool requires administrator/root permissions.

n even more powerful tool we can use that was mentioned earlier in the Credential Hunting in Windows section is .

The tool is excellent for decrypting these credentials, and is updated regularly. It requires Python 3.9 to run the latest version. Otherwise, Firefox Decrypt 0.7.0 with Python 2 must be used.

Linux-based distributions can use many different authentication mechanisms. One of the most commonly used and standard mechanisms is (PAM). The modules used for this are called pam_unix.so or pam_unix2.so and are located in /usr/lib/x86_x64-linux-gnu/security/ in Debian based distributions.

mimipenguin
LaZagne
Firefox Decrypt
Pluggable Authentication Modules