Linux Credential Hunting

May 6, 2025 - 2 mins read

Configuration Files

find all possible configuration files on the system

for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name "*$l" **2**>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

run the scan directly for each file found with the specified file extension and output the contents. In this example, we search for three words (user, password, pass) in each file with the file extension .cnf.

#!/usr/bin/env bash

while IFS= read -r file; do
    # Check if the file contains any of the keywords
    if grep -Eq "user|password|pass" "$file" 2>/dev/null; then
        echo -e "\nFile: $file"
        grep -E "user|password|pass" "$file" 2>/dev/null | grep -v "#"
    fi
done < <(find / -name "*.cnf" 2>/dev/null | grep -v "doc\|lib")

Using Proc

find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/nul

Wordpress configuration

cat wp-config.php | grep 'DB_USER\|DB_PASSWORD’

Databases

Notes

find /home/* -type f -name "*.txt" -o ! -name "*.*"

Scripts

for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name "*$l" **2**>/dev/null | grep -v "doc\|lib\|headers\|share";done

Cronjobs

Cronjobs are independent execution of commands, programs, scripts. These are divided into the system-wide area (/etc/crontab) and user-dependent executions ls -la /etc/cron.*/ cat /etc/crontab

SSH Keys

Whenever finding SSH keys check the known_hostsfile to find targets. This file contains a list of public keys for all the hosts which the user has connected to in the past and may be useful for lateral movement or to find data on a remote host that can be used to perform privilege escalation on our target.

# Private
grep -rnw "PRIVATE KEY" /home/* **2**>/dev/null | grep ":1"

# Public
grep -rnw "ssh-rsa" /home/*2>/dev/null | grep ":1"