Credentials Hunting

While performing penetration testing, I found it time-consuming to search for credentials manually. Also, there are not many tools available to automate this process on victim machines. Therefore, this note exists to document commands to hunt for credentials on Linux systems.

Explanation focuses on useful find and grep commands to search for credentials:

1. Search for Common Credential Patterns

Basic keyword search:
Use grep to search recursively (-r) for case-insensitive (-i) terms like “password,” “secret,” or “token”:
```
grep -rni 'password\|secret\|key\|token\|credential\|auth' /path/to/search
```
Explanation: This scans files for common credential-related keywords. Replace /path/to/search with directories like /home, /etc, or /var.
Base64-encoded strings:
Look for patterns resembling Base64 (common for encoded credentials):
```
grep -rni '\([A-Za-z0-9+/]\{4\}\)\{3,\}\([A-Za-z0-9+/]\{2\}==\|[A-Za-z0-9+/]\{3\}=\)' /path
```
Explanation: Base64 strings often end with = or == and have specific character patterns.
Hex strings (e.g., API keys):
Search for 32, 40, or 64-character hex strings (common for keys like AWS, GitHub):
```
grep -rni '\b[0-9a-fA-F]\{32\}\b\|\b[0-9a-fA-F]\{40\}\b\|\b[0-9a-fA-F]\{64\}\b' /path
```
Explanation: Hexadecimal strings of specific lengths often represent keys or hashes.

2. Target Specific File Types

Config files:
Search .conf, .cfg, .env, or .yml files for credentials:

find / -type f \( -name "*.conf" -o -name "*.env" -o -name "*.yml" \) -exec grep -Hni 'password\|secret' {} \; 2>/dev/null

Explanation: Configuration files often store credentials in plaintext.

Scripts:
Check shell/Python scripts (.sh, .py) for hardcoded secrets:

find / -type f \( -name "*.sh" -o -name "*.py" \) -exec grep -Hni 'api_key\|token' {} \; 2>/dev/null

Logs:
Search logs for accidental leaks (e.g., auth failures):
grep -rni 'login\|user=\|pass=' /var/log/

3. Check File Permissions

World-readable files:
Find files readable by everyone (potential credential leaks):
```
find / -type f -perm /o=r -ls 2>/dev/null
```
Explanation: Poor permissions might expose sensitive files to unauthorized users.
Files named “credentials”:
Locate files with “credential” in their name:
```
find / -type f -iname "*credential*" -ls 2>/dev/null
```

4. Search Hidden Files

Dotfiles:
Check hidden files (e.g., .bash_history, .git/config):
```
find / -type f -name ".*" -exec grep -Hni 'password\|ssh-key' {} \; 2>/dev/null
```
Explanation: Hidden files often store secrets like SSH keys or credentials.

5. Environment Variables

Credentials in startup scripts:
Look for exported credentials in shell profiles:
```
grep -rni 'export [A-Z_][A-Z0-9_]*=.*' /etc/profile /etc/environment /home/*/.*rc
```
Explanation: Environment variables in .bashrc or /etc/environment may contain secrets.

6. Database Credentials

Connection strings:
Search for database URLs (e.g., postgresql://user:pass@host):
```
grep -rni '\(postgresql\|mysql\|mongodb\)://[^:]*:.*@' /path
```

Config files:
Find database config files like my.cnf or .pgpass:

find / -type f \( -name "my.cnf" -o -name ".pgpass" \) 2>/dev/null

7. SSH Keys

Private keys:
Locate SSH private keys (e.g., id_rsa, *.pem):
```
find / -type f \( -name "id_rsa" -o -name "*.pem" \) 2>/dev/null
```
Explanation: Private keys should never be publicly accessible.

8. Quick Scans

Common directories:
Focus on /etc, /home, and /opt:

find /etc /home /opt -type f -exec grep -Hni 'password\|secret' {} \; 2>/dev/null

Important Notes

Suppress errors: Add 2>/dev/null to hide “permission denied” errors.
Narrow your search: Replace / with specific directories (e.g., /home/user) to avoid scanning the entire system.
Review results carefully: False positives are common—verify findings before taking action.
Ethical use: Only run these commands on systems you own or have explicit permission to audit.

Recent Notes

Bypass Execution Policy

File transfer with SMB

Robot Framework testing

Explorer

Credentials Hunting