Credentials Hunting
While performing penetration testing, I found it time-consuming to search for credentials manually. Also, there are not many tools available to automate this process on victim machines. Therefore, this note exists to document commands to hunt for credentials on Linux systems.
Explanation focuses on useful find and grep commands to search for credentials:
1. Search for Common Credential Patterns
-
Basic keyword search:
Usegrepto search recursively (-r) for case-insensitive (-i) terms like “password,” “secret,” or “token”:grep -rni 'password\|secret\|key\|token\|credential\|auth' /path/to/searchExplanation: This scans files for common credential-related keywords. Replace
/path/to/searchwith directories like/home,/etc, or/var. -
Base64-encoded strings:
Look for patterns resembling Base64 (common for encoded credentials):grep -rni '\([A-Za-z0-9+/]\{4\}\)\{3,\}\([A-Za-z0-9+/]\{2\}==\|[A-Za-z0-9+/]\{3\}=\)' /pathExplanation: Base64 strings often end with
=or==and have specific character patterns. -
Hex strings (e.g., API keys):
Search for 32, 40, or 64-character hex strings (common for keys like AWS, GitHub):grep -rni '\b[0-9a-fA-F]\{32\}\b\|\b[0-9a-fA-F]\{40\}\b\|\b[0-9a-fA-F]\{64\}\b' /pathExplanation: Hexadecimal strings of specific lengths often represent keys or hashes.
2. Target Specific File Types
-
Config files:
Search.conf,.cfg,.env, or.ymlfiles for credentials:find / -type f \( -name "*.conf" -o -name "*.env" -o -name "*.yml" \) -exec grep -Hni 'password\|secret' {} \; 2>/dev/nullExplanation: Configuration files often store credentials in plaintext.
-
Scripts:
Check shell/Python scripts (.sh,.py) for hardcoded secrets:find / -type f \( -name "*.sh" -o -name "*.py" \) -exec grep -Hni 'api_key\|token' {} \; 2>/dev/null -
Logs:
Search logs for accidental leaks (e.g.,authfailures):
grep -rni 'login\|user=\|pass=' /var/log/
3. Check File Permissions
-
World-readable files:
Find files readable by everyone (potential credential leaks):find / -type f -perm /o=r -ls 2>/dev/nullExplanation: Poor permissions might expose sensitive files to unauthorized users.
-
Files named “credentials”:
Locate files with “credential” in their name:find / -type f -iname "*credential*" -ls 2>/dev/null
4. Search Hidden Files
-
Dotfiles:
Check hidden files (e.g.,.bash_history,.git/config):find / -type f -name ".*" -exec grep -Hni 'password\|ssh-key' {} \; 2>/dev/nullExplanation: Hidden files often store secrets like SSH keys or credentials.
5. Environment Variables
-
Credentials in startup scripts:
Look for exported credentials in shell profiles:grep -rni 'export [A-Z_][A-Z0-9_]*=.*' /etc/profile /etc/environment /home/*/.*rcExplanation: Environment variables in
.bashrcor/etc/environmentmay contain secrets.
6. Database Credentials
-
Connection strings:
Search for database URLs (e.g.,postgresql://user:pass@host):grep -rni '\(postgresql\|mysql\|mongodb\)://[^:]*:.*@' /path -
Config files:
Find database config files likemy.cnfor.pgpass:find / -type f \( -name "my.cnf" -o -name ".pgpass" \) 2>/dev/null
7. SSH Keys
-
Private keys:
Locate SSH private keys (e.g.,id_rsa,*.pem):find / -type f \( -name "id_rsa" -o -name "*.pem" \) 2>/dev/nullExplanation: Private keys should never be publicly accessible.
8. Quick Scans
-
Common directories:
Focus on/etc,/home, and/opt:find /etc /home /opt -type f -exec grep -Hni 'password\|secret' {} \; 2>/dev/null
Important Notes
- Suppress errors: Add
2>/dev/nullto hide “permission denied” errors. - Narrow your search: Replace
/with specific directories (e.g.,/home/user) to avoid scanning the entire system. - Review results carefully: False positives are common—verify findings before taking action.
- Ethical use: Only run these commands on systems you own or have explicit permission to audit.