Looting for passwords & Interesting Information

1. Files containing passwords

grep --color=auto -rnw '/'-ie "PASSWORD"--color=always 2>/dev/null find .-type f -exec grep -i -I "PASSWORD"{} /dev/null \;

1. Old passwords in /etc/security/opasswd

The /etc/security/opasswd file is used also by pam_cracklib to keep the history of old passwords so that the user will not reuse them.

⚠️ Treat your opasswd file like your /etc/shadow file because it will end up containing user password hashes

1. Last edited files

Files that were edited in the last 10 minutes

find /-mmin -102>/dev/null |grep -Ev "^/proc"

1. In memory passwords

strings /dev/mem -n10 |grep -i PASS

1. Find sensitive files

$ locate password |more /boot/grub/i386-pc/password.mod /etc/pam.d/common-password /etc/pam.d/gdm-password /etc/pam.d/gdm-password.original /lib/live/config/0031-root-password …

1. Readable .bash_history

cat~/.bash_history | grep -A5sudo

1. /etc/fstab

Check what is mounted and unmounted, where and why. If anything is unmounted you could try to mount it and check for private info.

ls /dev 2>/dev/null | grep -i "sd"

cat /etc/fstab 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null

Check if credentials in fstab

grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null

1. Check Folders

The following folders may contain backups or interesting information: /tmp, /var/tmp, /var/backups, /var/mail, /var/spool/mail, /etc/exports, /root (Probably you won't be able to read the last one but try)

ls -a /tmp /var/tmp /var/backups /var/mail/ /var/spool/mail/ /root

1. Password Reuse

mysql, .bash_history, 000- default.conf ...