Extracting credentials from Linux memory with MimiPenguin

The linux porting of Mimikatz


Adapted from the idea behind the popular Windows tool mimikatz, Mimipenguin is a tool, developed by Hunter Gregal, that dumps the login password from the current linux desktop user.

Takes advantage of cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. Will attempt to calculate each word’s probability by checking hashes in /etc/shadow, hashes in memory, and regex searches.

The tool requires root permissions and come in two versions, a python script and a bash script, with different feature support:

  • GDM password (Kali Desktop, Debian Desktop): Python
  • Gnome Keyring (Ubuntu Desktop, ArchLinux Desktop): Bash and Python
  • VSFTPd (Active FTP Connections): Bash and Python
  • Apache2 (Active HTTP Basic Auth Sessions): Not yet implemented
  • OpenSSH (Active SSH Sessions — Sudo Usage): Not yet implemented

Supported/Tested Systems

  • Kali 4.3.0 (rolling) x64 (gdm3)
  • Ubuntu Desktop 12.04 LTS x64 (Gnome Keyring 3.18.3–0ubuntu2)
  • Ubuntu Desktop 16.04 LTS x64 (Gnome Keyring 3.18.3–0ubuntu2)
  • XUbuntu Desktop 16.04 x64 (Gnome Keyring 3.18.3–0ubuntu2)
  • Archlinux x64 Gnome 3 (Gnome Keyring 3.20)
  • VSFTPd 3.0.3–8+b1 (Active FTP client connections)
  • Apache2 2.4.25–3 (Active/Old HTTP BASIC AUTH Sessions) [Gcore dependency]
  • openssh-server 1:7.3p1–1 (Active SSH connections — sudo usage)

I’ve tested the script also on my Debian laptop, and works great:



More information and downloads

https://github.com/huntergregal/mimipenguin

Comments