General
Local accounts are user accounts that are specific to a particular machine or network. They are usually created to allow individuals to access certain resources or perform certain tasks on a system. However, local accounts can also be abused by attackers to gain unauthorized access to a system or network.
One way an attacker might abuse local accounts is by using OS credential dumping to harvest the credentials of the account. This can allow the attacker to gain access to the system or network and potentially elevate their privileges.
Another way local accounts can be abused is through password reuse. If an attacker is able to obtain the password for a local account, they may be able to use it to access other systems on the network that use the same password. This can allow the attacker to move laterally within the network and potentially gain access to additional resources and sensitive information.
Credential Hunting
Possible locations for credentials:
- History
- User Bash History
- SSH Keys
- GREP Folders, Files, Database, ...
- Configuration files (.conf, .config, .xml)
- Shell Scripts
- Backup Files (.bak)
- ...
Stored Password (If Access)
cat /etc/passwd ---> Find Password (Hashed)
cat /etc/shadow ---> Find Password (Hashed)
Command History (Saved in Memory)
history ---> type "history" and check if clear password (Memory)
Command History Saved in Bash History (Saved in File)
history file ---> (/home/user/.bash_history) Check history data (File)
Checking for SSH keys
ls ~/.ssh ---> Can connect to the SSH host (Check Know_Host find targets)
Checking for credentials with GREP
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> ~/Download
grep --color=auto -rnw '/var/www/html' -ie "PASSWORD" --color=always 2> ~/Download
'-----> Display elements that is contain PASSWOR ('/' = Root, '/var/..' = Service)
Checking the spool or mail directories for credentials
find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null