Configuration files play a critical role in storing sensitive credentials for various applications and services. Attackers often target these files to extract valuable information, such as usernames, passwords, API keys, and database credentials. Understanding the techniques employed by adversaries is vital in implementing effective defensive measures.
Techniques for Extracting Credentials
Attackers utilize multiple methods to extract credentials from configuration files. The following techniques are commonly observed in credential extraction attacks:
- File Parsing: Attackers parse configuration files, leveraging knowledge of file formats and patterns to identify and extract credentials.
- Regular Expressions: Utilizing pattern matching techniques, attackers search for credential-like strings within configuration files.
- File Inclusion Vulnerabilities: Exploiting vulnerabilities that allow them to read or include arbitrary files, attackers gain access to configuration files containing credentials.
- Data Leakage: Identifying misconfigurations or insecure logging practices, attackers exploit logs or error messages that inadvertently reveal credentials.
Common Configuration Files Containing Credentials
Certain configuration files frequently store credentials, making them attractive targets for attackers. Examples of commonly targeted files include:
- Web Application Configurations: Files like web.config (ASP.NET), .env (PHP), or application.properties (Java) may contain database credentials or API keys.
- Database Configuration Files: Configuration files like my.cnf (MySQL) or pg_hba.conf (PostgreSQL) often store database access credentials.
- Network Service Configurations: SSH server configurations (sshd_config), mail server configurations (smtpd.conf), or VPN configurations (openvpn.conf) may contain critical credentials.
- Binary Analysis: Attackers analyze binary files associated with applications to extract credentials embedded within them.
- Memory Scraping: Attackers target running processes or system memory to retrieve credentials stored temporarily during application runtime.
- Configuration File Misplacement: Attackers exploit misconfigurations that result in configuration files being inadvertently placed in publicly accessible locations.
- Server Misconfigurations: Attackers leverage misconfigurations in web servers, FTP servers, or other services to gain unauthorized access to configuration files and extract credentials.
Example: Config files
1. In this case we have an application installed, which is connected to a database, looking into the configuration files we found config.json, which contains a username and password. The first step is to identify the home folder for the application
- whereis mattermost
2. Knowing this help us find files using different techniques
- ls -lR | grep -i conf
- find /opt/mattermost -type f -iname “*config*” -o -iname “*conf*” 2> /dev/null
- find /opt/mattermost -type f -exec grep -liE ‘username|password|user|pass’ {} +
3. Searching though the output we found config.json, reading this file we can find
- cat /opt/mattermost/config/config.json | grep -iE “user|username|pass|password”
4. Knowing, this configuration file could contain additional information, we proceed to read it
- cat /opt/mattermost/config/config.json | less
Note: we also found something that seems SQL username and password
5. We will try access this database
- mysql -u mmuser -p
- Password: Crack_The_MM_Admin_PW
- show databases;
Techniques
Password Hunting – Filenames and File Contents
When it comes to password hunting, one of the first things we should do is perform a high-level search to look for files that contain “password” in the filename. In addition to filenames, we should also be looking for the string “password” inside files.
Hunting for Interesting Filenames
1. We should start by looking for filenames that contain the word “password” in them before looking for the string “password” inside files on the filesystem. Additionally, we should also be looking for filenames that contain any other interesting strings that we can think of (config, php, etc.)
- find / -exec ls -lad $PWD/* “{}” 2>/dev/null \; | grep -i -I “passw\|pwd”
- find . -type f -exec grep -i -I “PASSWORD\|PASSWD” {} /dev/null \;
- cat /var/mail/*; cat var/spol/mail
- crontab -l; ls -alh /var/spool/cron; ls -al /etc/ | grep cron; ls -al /etc/cron; cat /etc/cron; cat /etc/at.allow; cat /etc/at.deny; cat /etc/cron.allow; cat /etc/cron.deny; cat /etc/crontab; cat /etc/anacrontab; cat /var/spool/cron/crontabs/root
- find /home/* -type f -name “*.txt” -o ! -name “*.*”
2. Another command that we can use to comb the entire filesystem for files that contain a certain string in their name is the locate command.
- locate ‘passw’
- locate ‘pwd’
- locate ‘*.php’
- locate config.php
- locate password; locate passwd
- locate config.
Hunting for Interesting Strings Inside Files
1. There is a nice utilization of the grep command that we can use to search for files that contain the string “passw” and “pwd” across the entire filesystem; however, it does produce a RIDICULOUS amount of results.
- grep –color=auto -rnw ‘/’ -iIe “PASS\|PASSW\|PASSWD\|PASSWORD\|PWD” –color=always 2>/dev/null
- grep –color=auto -rnw ‘/’ -ie “PASSWORD\|PASSWD” –color=always 2> /dev/null
2. we can navigate to common folders where we normally find interesting files, such as /var/www, /tmp, /opt, /home, etc. and then execute the following command:
- grep –color=auto -rnw -iIe “PASSW\|PASSWD\|PASSWORD\|PWD” –color=always 2>/dev/null
Check for Hashes Stored in Passwd/Shadow
- find / -name passwd -xdev 2>/dev/null; find / -name shadow -xdev 2>/dev/null
- cat /etc/passwd; cat /etc/shadow
Old passwords in /etc/security/opasswd
The /etc/security/opasswd file is used by pam_cracklib (a module used in Linux to ensure a good password policy is in place) to store the hashed version of old passwords used on the system to prevent users from reusing the same ones over and over again.
- cat /etc/security/opasswd
- find / -name opasswd -xdev 2>/dev/null
Recently Modified Files
It can be useful to check files that were modified recently, as they may be containing useful information and/or credentials.
- find / -mmin -30 -xdev 2>/dev/null
Credentials Stored in Memory
Services will sometimes store the credentials entered by the end user in clear text in memory. The commands below can help find credentials stored in processes:
- strings /dev/mem -n10 | grep -ie “PASSWORD|PASSWD” –color=always
Password Hunting – Hidden Files and Folders
1. On *nix systems, hidden files and folders will start with a period like the .bash_history file or the .ssh folder. To look for hidden files or folders, we can use the ‘-a’ switch when using the ls command, like so:
- ls -la
- ls -la /
Passwords in Bash History Files
1. The .bash_history file is a file that stores a history of user commands entered at the command prompt; used for viewing old commands that have been executed. The user’s current session saves the command history into memory, which can be viewed with the history command. But once that user logs off, the commands stored in memory are saved to the .bash_history file.
- find / -name *_history -xdev 2> /dev/null
- cat /home/user/.bash_history
Passwords in SSH Keys
1. When we are enumerating the different user profiles, we may come across a hidden folder that contains SSH keys! – This is commonly named .ssh and can be found using ls-la. we find there is an .ssh directory and inside an id_rsa file that we have read permissions on!
The id_rsa file is a private key that can be used to login to SSH without knowing the users password, but only if no password was set when the key was created. This file is essentially the equivalent of a password, with regards to getting you into the system.
- cd /home/usr/.ssh/id_rsa
- cat id_rsa
2. Uses Linux-based command grep to search the file system for key terms `PRIVATE KEY` to discover SSH keys.
- grep -rnw “PRIVATE KEY” /* 2>/dev/null | grep “:1”
3. Uses Linux-based grep command to search for the keywords `PRIVATE KEY` within files contained in a user’s home directory.
- grep -rnw “PRIVATE KEY” /home/* 2>/dev/null | grep “:1”
4. Uses Linux-based grep command to search for keywords `ssh-rsa` within files contained in a user’s home directory.
- grep -rnw “ssh-rsa” /home/* 2>/dev/null | grep “:1”
Password Hunting – MySQL
1. Let’s jump into MySQL and enumerate the databases and tables. If we get lucky, we may find usernames and passwords for web applications as well as MySQL itself.
- mysql -u root -p
- show databases;
- use <DB name>;
- show tables;
- select * from user;
Apart from the default databases, we should ALWAYS be interested in custom ones. Especially when the custom DB is related to a web application. If we find some password hashes in here, we may be able to crack them and use them to increase our access.
Password Hunting – /var/backups Folder
The /var/backups folder is where some automatic backups are stored, such as a backup of both the passwd and shadow file. However, the default backup files will have a restricted set of permissions just like the actual files do.
Essentially, we are looking for one of two scenarios…
- The files in the backup folder have weak permissions allowing us to read files we should not be able to.
- There are custom files in the folder that we can read.
Hunting with LinPEAS
For interesting strings in file names, LinPEAS only has the following sub-section: Searching *password* or *credential* files in home (limit 70). Although it says “in home”, it actually checks the entire filesystem. Unfortunately, the limit of 70 helps reduce output, but it also leaves out a lot of potential findings.
The strings inside files is also very targeted, for example it searches for passwords in log files, config PHP files, as well as only a few others.
For the rest of the LinPEAS example, we will look at how many of the same files it was able to find that we also found.
- Config.php? – Found! – Finds the file and extracts the contents of the password.
- passwd.dav? – NOT Found!
- Hidden folder and file: /.important/.password? – Found! – Finds the files but does NOT extract the contents for us.
- .bash_history files? – Found! – Finds which ones are readable by the current user, but does NOT extract the contents for us.
- .ssh folder and SSH keys? – Found! – Finds which ones are readable by the current user, but does NOT extract the contents for us.
- Hashes in MySQL? – NOT Found! – LinPEAS does not have the ability to access the database if there is a password set on the root MySQL user account.
- pwds.db? – Found! – LinPEAS searches for interesting DB files and extracts the contents. Here we can see that it only dumps one hash in the file, but its enough to let us know we can go and explore it further manually.
- backup.rar?– Found! – LinPEAS extracts all files from /opt and also has a check to find backup files.
Scripts
1. Script that can be used to find .conf, .config and .cnf files on a Linux system.
- for l in $(echo “.conf .config .cnf”);do echo -e “\nFile extension: ” $l; find / -name *$l 2>/dev/null | grep -v “lib|fonts|share|core” ;done
2. Script that can be used to find credentials in specified file types.
- for i in $(find / -name *.cnf 2>/dev/null | grep -v “doc|lib”);do echo -e “\nFile: ” $i; grep “user|password|pass” $i 2>/dev/null | grep -v “\#”;done
3. Script that can be used to find common database files.
- for l in $(echo “.sql .db .*db .db*”);do echo -e “\nDB File extension: ” $l; find / -name *$l 2>/dev/null | grep -v “doc|lib|headers|share|man”;done
4. Script that can be used to search for common file types used with scripts.
- for l in $(echo “.py .pyc .pl .go .jar .c .sh”);do echo -e “\nFile extension: ” $l; find / -name *$l 2>/dev/null | grep -v “doc|lib|headers|share”;done
5. Script used to look for common types of documents.
- for ext in $(echo “.xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*”);do echo -e “\nFile extension: ” $ext; find / -name *$ext 2>/dev/null | grep -v “lib|fonts|share|core” ;done
Some interesting keywords
Passphrase
Codephrase
Passcode
Keyphrase
Secret
Secure
Access
Secure passcode
Authentication
Auth
Token
Verification
Identity
Access
Security
Private
Secret
Cryptographic
Keyfile
Private code
Cipher
Secret
Passkey
Access
Key
password
Unlock
Security
Code
Secret
Security
Passcode
Cipher
Key
Cryptographic
Crypto
Encryption
Key pair
Decryption
Authentication
Credential
Auth
Credential
Identity code
Access
Countermeasures: Protecting Credentials in Configuration Files
To mitigate the risk of credential extraction from configuration files, the following countermeasures should be implemented:
- Encryption and Hashing: Encrypt or hash sensitive credentials within configuration files to make them unusable if obtained by attackers.
- Secure File Permissions: Set appropriate file permissions to limit access to configuration files, ensuring that only authorized users can read or modify them.
- Environment Variables: Store credentials as environment variables instead of hardcoding them in configuration files.
- Credential Management Systems: Implement secure credential management systems that centralize and protect sensitive credentials.
- Regular Auditing: Conduct regular audits to identify insecure configurations and ensure proper protection of credentials.
- Secure Development Practices: Train developers on secure coding practices, emphasizing the importance of properly handling credentials in configuration files.
Monitoring and Intrusion Detection
Implementing robust monitoring and intrusion detection mechanisms can help identify unauthorized access or suspicious activities related to configuration files. Key monitoring measures include:
- Log Monitoring: Regularly analyze logs for unusual activity, such as unexpected modifications or access to configuration files.
- Intrusion Detection Systems (IDS): Deploy IDS solutions to detect anomalous patterns or known attack signatures targeting configuration files.
- Endpoint Security: Employ endpoint security solutions that detect and prevent unauthorized access to configuration files.
References
https://juggernaut-sec.com/password-hunting-lpe/
https://steflan-security.com/linux-privilege-escalation-credentials-harvesting/
https://atom.hackstreetboys.ph/linux-privilege-escalation-password-and-keys/
https://pentest.coffee/local-password-attack-and-credentials-theft-for-windows-linux-5764a1a25363