Find passwords

PreviousPrivilege Escalation NextAnsible

Last updated 10 months ago

Was this helpful?

Find passwords

MimiPenguin

Takes advantage of cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. Must have root permissions.

# install
git clone https://github.com/huntergregal/mimipenguin.git
cd mimipenguin/

# usage
./mimipenguin.sh

Home Directories

User's home directories can contain plaintext passwords. For example :

.netrc 
.pgpass
.bash_history
.zsh_history
.bash_history
.nano_history
.atftp_history
.mysql_history
.php_history
/root/anaconda-ks.cfg

Configuration Files

/etc directory and subdirectories

# find config files : 
find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null

# (system user account information)
/etc/passwd
/etc/shadow
# (MySQL configuration)
/etc/my.cnf
/etc/mysql/my.cnf
~/.my.cnf
/etc/mysql/conf.d/
/etc/mysql/mysql.conf.d/
/var/lib/mysql/mysql/user.MYD
# (PostgreSQL configuration)
/var/lib/pgsql/data/postgresql.conf 
pg_hba.conf
pg_ident.conf
# (web server configuration)
/etc/httpd/conf/httpd.conf
/etc/nginx/nginx.conf 
/var/apache2/config.inc
# (SSH server configuration)
/etc/ssh/sshd_config
# (Web Server configuration)
/etc/httpd/conf/*
/etc/nginx/*
# (Tomcat configuration)
tomcat-users.xml
find / -name 'tomcat-users.xml'

Scheduled Jobs

The cron configuration files and systemd timer units might contain scripts with embedded credentials.

/var/spool/cron/* 
/etc/crontab

Application Files

Custom applications might store passwords in their configuration files. Check any locations where you have custom software installed.

# web app
/var/www/html/
# other application directories

PreviousPrivilege Escalation NextAnsible

Last updated 10 months ago

Was this helpful?