# Linux Local Password Attacks ## Credential Hunting in Linux Hunting for credentials is one of the first steps once we have access to the system. These low-hanging fruits can give us elevated privileges within seconds or minutes. Among other things, this is part of the local privilege escalation process that we will cover here. However, it is important to note here that we are far from covering all possible situations and therefore focus on the different approaches. Common sources of credentials: | **`Files`** | **`History`** | **`Memory`** | **`Key-Rings`** | | ------------ | -------------------- | -------------------- | -------------------------- | | Configs | Logs | Cache | Browser stored credentials | | Databases | Command-line History | In-memory Processing | | | Notes | | | | | Scripts | | | | | Source codes | | | | | Cronjobs | | | | | SSH Keys | | | | ### Files We should look for, find, and inspect several categories of files one by one. These categories are the following: | Configuration files | Databases | Notes | | ------------------- | --------- | -------- | | Scripts | Cronjobs | SSH keys | There are many methods to find these configuration files, and with the following method, we will see we have reduced our search to these three file extensions. ```bash for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done ``` In this example, we search for three words (`user`, `password`, `pass`) in each file with the file extension `.cnf`. ```bash for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#";done ``` We can apply this simple search to the other file extensions as well. Additionally, we can apply this search type to databases stored in files with different file extensions, and we can then read those. ```bash for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man";done ``` Sometimes there's notes taken by the administrators or users in generic files with arbitrary extensions, commonly `.txt` or no extension at all ```bash find /home/* -type f -name "*.txt" -o ! -name "*.*" ``` Scripts are files that often contain highly sensitive information and processes. Among other things, these also contain credentials that are necessary to be able to call up and execute the processes automatically. Otherwise, the administrator or developer would have to enter the corresponding password each time the script or the compiled program is called. ```bash for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share";done ``` #### Cronjobs ```bash cat /etc/crontab ls -la /etc/cron.*/ ``` #### **SSH Keys** Private keys ```bash grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1" ``` **Public keys** ```bash grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1" ``` ### History In the history of the commands entered on Linux distributions that use Bash as a standard shell, we find the associated files in `.bash_history`. Nevertheless, other files like `.bashrc` or `.bash_profile` can contain important information. ```bash tail -n5 /home/*/.bash* ``` ### **Logs** | **Application Logs** | **Event Logs** | **Service Logs** | **System Logs** | | -------------------- | -------------- | ---------------- | --------------- | | **Log File** | **Description** | | --------------------- | -------------------------------------------------- | | `/var/log/messages` | Generic system activity logs. | | `/var/log/syslog` | Generic system activity logs. | | `/var/log/auth.log` | (Debian) All authentication related logs. | | `/var/log/secure` | (RedHat/CentOS) All authentication related logs. | | `/var/log/boot.log` | Booting information. | | `/var/log/dmesg` | Hardware and drivers related information and logs. | | `/var/log/kern.log` | Kernel related warnings, errors and logs. | | `/var/log/faillog` | Failed login attempts. | | `/var/log/cron` | Information related to cron jobs. | | `/var/log/mail.log` | All mail server related logs. | | `/var/log/httpd` | All Apache related logs. | | `/var/log/mysqld.log` | All MySQL server related logs. | SOME checks on those files: ```bash for i in $(ls /var/log/* 2>/dev/null);do GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null); if [[ $GREP ]];then echo -e "\n#### Log file: " $i; grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null;fi;done ``` ### Memory and Cache Many applications and processes work with credentials needed for authentication and store them either in memory or in files so that they can be reused. For example, it may be the system-required credentials for the logged-in users. Another example is the credentials stored in the browsers, which can also be read. In order to retrieve this type of information from Linux distributions, there is a tool called [mimipenguin](https://github.com/huntergregal/mimipenguin) that makes the whole process easier. However, this tool requires administrator/root permissions. ```bash sudo python3 mimipenguin.py sudo bash mimipenguin.sh ``` n even more powerful tool we can use that was mentioned earlier in the Credential Hunting in Windows section is [`LaZagne`](https://github.com/AlessandroZ/LaZagne). This tool allows us to access far more resources and extract the credentials. The passwords and hashes we can obtain come from the following sources but are not limited to: | Wifi | Wpa\_supplicant | Libsecret | Kwallet | | -------------- | --------------- | --------- | ----------- | | Chromium-based | CLI | Mozilla | Thunderbird | | Git | Env\_variable | Grub | Fstab | | AWS | Filezilla | Gftp | SSH | | Apache | Shadow | Docker | KeePass | | Mimipy | Sessions | Keyrings | | ```bash sudo python2.7 laZagne.py all ``` ### **Browsers** Browsers store the passwords saved by the user in an encrypted form locally on the system to be reused. For example, the `Mozilla Firefox` browser stores the credentials encrypted in a hidden folder for the respective user. These often include the associated field names, URLs, and other valuable information. The tool [Firefox Decrypt](https://github.com/unode/firefox_decrypt) is excellent for decrypting these credentials, and is updated regularly. It requires Python 3.9 to run the latest version. Otherwise, `Firefox Decrypt 0.7.0` with Python 2 must be used. ```bash python3.9 firefox_decrypt.py ``` Alternatively, `LaZagne` can also return results if the user has used the supported browser. ```shell-session python3 laZagne.py browsers ``` ## Passwd, Shadow & Opasswd Linux-based distributions can use many different authentication mechanisms. One of the most commonly used and standard mechanisms is [Pluggable Authentication Modules](https://web.archive.org/web/20220622215926/http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html) (`PAM`). The modules used for this are called `pam_unix.so` or `pam_unix2.so` and are located in `/usr/lib/x86_x64-linux-gnu/security/` in Debian based distributions. The standard files that are read, managed, and updated are `/etc/passwd` and `/etc/shadow`. PAM also has many other service modules, such as LDAP, mount, or Kerberos. ### /etc/passwd It can also be that the `/etc/passwd` file is writeable by mistake. This would allow us to clear this field for the user `root` so that the password info field is empty. This will cause the system not to send a password prompt when a user tries to log in as `root`. ```bash root:x:0:0:root:/root:/bin/bash # INTO root::0:0:root:/root:/bin/bash ``` ### /etc/shadow | `cry0l1t3` | `:` | `$6$wBRzy$...SNIP...x9cDWUxW1` | `:` | `18937` | `:` | `0` | `:` | `99999` | `:` | `7` | `:` | `:` | `:` | | ---------- | --- | ------------------------------ | --- | -------------- | --- | ----------- | --- | ----------- | --- | -------------- | ----------------- | --------------- | ------ | | Username | | Encrypted password | | Last PW change | | Min. PW age | | Max. PW age | | Warning period | Inactivity period | Expiration date | Unused | If the password field contains a character, such as `!` or `*`, the user cannot log in with a Unix password. However, other authentication methods for logging in, such as Kerberos or key-based authentication, can still be used. The same case applies if the `encrypted password` field is empty. This means that no password is required for the login. However, it can lead to specific programs denying access to functions. The `encrypted password` also has a particular format by which we can also find out some information: * `$$$` As we can see here, the encrypted passwords are divided into three parts. The types of encryption allow us to distinguish between the following: **Algorithm Types** * `$1$` – MD5 * `$2a$` – Blowfish * `$2y$` – Eksblowfish * `$5$` – SHA-256 * `$6$` – SHA-512 ### Opasswd The PAM library (`pam_unix.so`) can prevent reusing old passwords. The file where old passwords are stored is the `/etc/security/opasswd`. Administrator/root permissions are also required to read the file if the permissions for this file have not been changed manually. ### Cracking Linux Credentials ```bash unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes ``` ```bash hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked ``` or to crack md5 hashes (just the hashes in a list): ```bash hashcat -m 500 -a 0 md5-hashes.list rockyou.txt ```