huntergregal / mimipenguin Goto Github PK
View Code? Open in Web Editor NEWA tool to dump the login password from the current linux user
License: Other
A tool to dump the login password from the current linux user
License: Other
Linux Mint 18 - gnome-keyring-daemon version 3.18.3
mint-18 mimipenguin # ./mimipenguin
[!] ERROR: getting line - Success
[!] Error getting user for pid
Segmentation fault
mimipenguin.sh
and mimipenguin.py
return no results.
I run sudo su to get root administration. Then I run the script ./mimipenguin.
But I got the result like this.
00400000-004e9000
006e9000-006f4000
006f4000-006f8000
006f8000-006f9000
01009000-0102a000
0102a000-0146f000
7fcb00000000-7fcb00022000
7fcb08000000-7fcb08021000
7fcb0cced000-7fcb0d4ed000
7fcb0d4ee000-7fcb0dcee000
7fcb0dcef000-7fcb0e4ef000
7fcb0e4ef000-7fcb0e97a000
7fcb0e97a000-7fcb0e97d000
7fcb0eb7c000-7fcb0eb7d000
7fcb0eb7d000-7fcb0eb7e000
7fcb0eb7e000-7fcb0eb90000
7fcb0ed90000-7fcb0ed91000
7fcb0ed91000-7fcb0ed92000
7fcb0ed92000-7fcb0ee00000
7fcb0f000000-7fcb0f001000
7fcb0f001000-7fcb0f002000
7fcb0f002000-7fcb0f009000
7fcb0f208000-7fcb0f209000
7fcb0f209000-7fcb0f20a000
7fcb0f20a000-7fcb0f221000
7fcb0f421000-7fcb0f422000
7fcb0f422000-7fcb0f423000
7fcb0f423000-7fcb0f425000
7fcb0f425000-7fcb0f444000
7fcb0f643000-7fcb0f644000
7fcb0f644000-7fcb0f645000
7fcb0f645000-7fcb0f647000
7fcb0f647000-7fcb0f660000
7fcb0f85f000-7fcb0f860000
7fcb0f860000-7fcb0f861000
7fcb0f861000-7fcb0f864000
7fcb0fa63000-7fcb0fa64000
7fcb0fa64000-7fcb0fa65000
7fcb0fa65000-7fcb0fabe000
7fcb0fcbd000-7fcb0fcc7000
7fcb0fcc7000-7fcb0fcc9000
7fcb0fcc9000-7fcb0fe88000
7fcb10088000-7fcb1008c000
7fcb1008c000-7fcb1008e000
7fcb1008e000-7fcb10092000
7fcb10092000-7fcb100aa000
7fcb102a9000-7fcb102aa000
7fcb102aa000-7fcb102ab000
7fcb102ab000-7fcb102af000
7fcb102af000-7fcb102b3000
7fcb104b2000-7fcb104b3000
7fcb104b3000-7fcb104b4000
7fcb104b4000-7fcb1058c000
7fcb1078b000-7fcb1078c000
7fcb1078c000-7fcb10794000
7fcb10794000-7fcb10795000
7fcb10795000-7fcb108a4000
7fcb10aa3000-7fcb10aa4000
7fcb10aa4000-7fcb10aa5000
7fcb10aa5000-7fcb10aa6000
7fcb10aa6000-7fcb10af8000
7fcb10cf7000-7fcb10cf8000
7fcb10cf8000-7fcb10cf9000
7fcb10cf9000-7fcb10e79000
7fcb11079000-7fcb1107d000
7fcb1107d000-7fcb1107f000
7fcb1107f000-7fcb11081000
7fcb11081000-7fcb110b3000
7fcb112b2000-7fcb112b3000
7fcb112b3000-7fcb112b4000
7fcb112b4000-7fcb1133e000
7fcb1153d000-7fcb11547000
7fcb11547000-7fcb11549000
7fcb11549000-7fcb1154a000
7fcb1154a000-7fcb11570000
7fcb116d3000-7fcb11745000
7fcb11745000-7fcb1174f000
7fcb11765000-7fcb11767000
7fcb11767000-7fcb1176b000
7fcb1176b000-7fcb1176f000
7fcb1176f000-7fcb11770000
7fcb11770000-7fcb11771000
7fcb11771000-7fcb11772000
7ffc2523f000-7ffc25260000
7ffc253d9000-7ffc253db000
7ffc253db000-7ffc253dd000
ffffffffff600000-ffffffffff601000
MimiPenguin Results:
Does it work?
On 16.04:
$ sudo ./mimipenguin.sh
strings: '/tmp/dump.': No such file
strings: '/tmp/dump.': No such file
strings: '/tmp/dump.': No such file
MimiPenguin Results:
$
On ubuntu 14.04.
$ sudo bin/mimipenguin.sh
strings: '/tmp/dump.': No such file
strings: '/tmp/dump.': No such file
strings: '/tmp/dump.': No such file
strings: '/tmp/sshd.14181 20491': No such file
strings: '/tmp/sshd.14181 20491': No such file
MimiPenguin Results:
$
No results. Appears there are more dependencies than listed or that all the leak methods don't work on patched systems.
Also tried it on an apache server running about 5 different vhosts. No joy.
Hey @huntergregal,
my coworker and I were taking at look at your script and it appears not to be working on Debian server. This is due to the fact that gcore is not installed by default. There are some ways to dump a process memory to a file using only shell (see this StackExchange). However, it could be easier to do this in Python.
We wanted to do a pull request to modify the dumping process, so that you don't have to rely on gcore anymore. However, we're not sure on how to do it:
But if we write it in Python, it might make more sense to rewrite your whole script in Python. Since it's an important decision, we wanted to let it up to you. In any case, we'd be happy to help improve it. Let us know your decision.
Thanks for this awesome tool!
Cheers,
Y
No results on ZorinOS with gnome-keyring-daemon version 3.18.3 using mimipenguin
No results on Kali with gnome-keyring-daemon version 3.28.2 using mimipenguin
root@kali:~/Desktop/mimipenguin# gnome-keyring-daemon -V
gnome-keyring-daemon: 3.28.2
testing: enabled
As this script getting more attentions, each plugin has its own way and could need some research, of course.
The idea is, we create a wiki for each feature to explain the main issue and how to reproduce it manually. So, people who try to add or use these feature they will have a good understanding to build the same script with another language and add more features for existing scripts.
To have something like knowledge base that explains each plugin/feature (not code) of mimipenguin
To dump Linux memory for a specific process to disk, we need the following:
/proc/[PID]/cmdline
/proc/[PID]/maps
/proc/[PID]/mem
search for ^.+libgck\-1\.so\.0$
in memory dump
mimipenguin.sh
from 47dba4b run on a rather out of date Ubuntu 14.04.4 VM.
The strings
dump of the process contains the cleartext password, but it is not near any of the current needles. Based on the what the other needles are looking for, I expect adding /lib/x86_64-linux-gnu/libdbus-1.so.3
may be the solution. Relevant excerpt from the dump (the password is notpassword
):
...
@ 6s
libglib-2.0.so.0
/lib/x86_64-linux-gnu
libglib-2.0.so.0
/lib/x86_64-linux-gnu/libdbus-1.so.3
W9>^y
notpassword
notpassword
notpassword
notpassword
...
No results are found
The password is found
Ubuntu 16.04.2 LTS \n \l
root 9107 0.0 0.1 12944 1088 pts/1 S+ 08:15 0:00 grep --color=auto -e gnome-keyring -e gdm
error:strings: '/tmp/apache*': No such file
Process like this:
[root@OpenVZVPS-2016815796 mimipenguin]# cat /etc/issue
CentOS release 6.7 (Final)
Kernel \r on an \m
then i execute ./mimipenguin.sh,but without any results.
[root@OpenVZVPS-2016815796 mimipenguin]# ls
LICENSE README.md mimipenguin.py mimipenguin.sh
[root@OpenVZVPS-2016815796 mimipenguin]# ./mimipenguin.sh
MimiPenguin Results:
So I can't get user's login password.
If more than 1 user have the same password - only finds the first user.
Tested on Centos 8 VM from osboxes.org
On Ubuntu 16.04, x64:
I am able to properly extract the passwords from memory when a singular user is logged in. However, if multiple users are logged in, the script is unable to detect anything.
4296': No such file
strings: '/tmp/dump.1722
4296': No such file
strings: '/tmp/dump.1722
4296': No such file
MimiPenguin Results:
Great work on this! Any chance of working in a RedHat component?
strings: '/tmp/apache*': No such file
Hi I tested it on kali as root account It works right.. But it fails when I was a normal user (had sudo privileges , tested on kali ) It reported no /tmp/dump file.
BR
./mimipenguin.sh: line 59: python2: command not found
Looks like python2 needs to be added to the requirements list.
You might want to consider porting to python 3. https://pythonclock.org/
I try to run sh file with this command : sh 1.sh But I got these errors
1.sh: line 2:
: command not found
1.sh: line 6:
: command not found
1.sh: line 19: syntax error near unexpected token `{
'
1.sh: line 19: `function dump_pid () {
'
OS Version : Red Hat Enterprise Linux Server release 5.7
Bash Version : GNU bash, version 3.2.25(1)-release (x86_64-redhat-linux-gnu)
Also there is no python3 installed on the server , Is there any python2 version of mimipenguin?
09:18 abourgouin@Atuin
/dev/mimipenguin(master) $ cat /proc/version14.04.3) ) #93~14.04.1-Ubuntu SMP Fri Mar 31 15:05:15 UTC 2017
Linux version 4.4.0-72-generic (buildd@lcy01-24) (gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1
Here the result of running command :
https://pastebin.com/9MG3Ur4L
Using mimipenguin.sh (beta-1.0 branch), the password is not extracted from gnome-keyring on Ubuntu 10.04.4.
# ./mimipenguin.sh
MimiPenguin Results:
Target OS info
$ cat /etc/issue
Ubuntu 10.04.4 LTS \n \l
$ ps aux | grep -e "gnome-keyring" -e gdm
root 790 0.0 0.3 83100 3664 ? Ssl Jul06 0:00 gdm-binary
root 5897 0.0 0.4 93500 4240 ? Sl 00:53 0:00 /usr/lib/gdm/gdm-simple-slave --display-id /org/gnome/DisplayManager/Display1
root 5899 0.8 2.4 117160 24748 tty8 Ss+ 00:53 0:01 /usr/bin/X :0 -br -verbose -auth /var/run/gdm/auth-for-gdm-qr9uET/database -nolisten tcp
gdm 5919 0.0 0.0 26260 820 ? S 00:53 0:00 /usr/bin/dbus-launch --exit-with-session
root 5939 0.0 0.3 97320 3420 ? Sl 00:53 0:00 /usr/lib/gdm/gdm-session-worker
user 5954 0.0 0.4 69632 4172 ? Sl 00:53 0:00 /usr/bin/gnome-keyring-daemon --daemonize --login
user 6486 0.0 0.1 7628 1028 pts/1 S+ 00:55 0:00 grep --color=auto -e gnome-keyring -e gdm
Write a description
When i try to execute the mimipenguin.sh script it throws the following syntax error
./mimipenguin.sh
./mimipenguin.sh: line 37: syntax error near unexpected token `<<<'
./mimipenguin.sh: line 37: ` done <<< "$mem_maps"'
Target OS info
cat /etc/issue
Red Hat Linux release 7.3 (Valhalla)
Kernel \r on an \m
Write a description
kali:/root/mimipenguin# ./mimipenguin
[+] GNOME KEYRING (928)
[-] gnome-keyring-daemon version not supported
[!] ERROR: dumping passwords from keyring
[+] GNOME KEYRING (2018)
[-] gnome-keyring-daemon version not support
Target OS info
cat /etc/issue
ps aux | grep -e "gnome-keyring" -e gdm
kali:/root# cat /etc/issue
Kali GNU/Linux Rolling \n \l
kali:/root# date
Wed 31 Jul 2019 03:03:58 AM EDT
kali:/root# ps aux | grep -e "gnome-keyring" -e gdm
root 832 0.0 0.3 244584 9076 ? Ssl Jul30 0:00 /usr/sbin/gdm3
root 864 0.0 0.3 169304 9060 ? Sl Jul30 0:00 gdm-session-worker [pam/gdm-autologin]
root 928 0.0 0.2 240996 6888 ? Sl Jul30 0:00 /usr/bin/gnome-keyring-daemon --daemonize --login
root 976 0.0 0.2 166732 6192 tty2 Ssl+ Jul30 0:00 /usr/lib/gdm3/gdm-x-session --run-script /usr/bin/gnome-session
root 978 0.0 2.1 368076 53268 tty2 Sl+ Jul30 0:02 /usr/lib/xorg/Xorg vt2 -displayfd 3 -auth /run/user/0/gdm/Xauthority -background none -noreset -keeptty -verbose 3
root 1786 0.0 0.3 169208 8684 ? Sl Jul30 0:00 gdm-session-worker [pam/gdm-launch-environment]
Debian-+ 1802 0.0 0.2 166736 6092 tty1 Ssl+ Jul30 0:00 /usr/lib/gdm3/gdm-x-session gnome-session --autostart /usr/share/gdm/greeter/autostart
Debian-+ 1804 0.0 1.9 363356 48620 tty1 Sl+ Jul30 0:00 /usr/lib/xorg/Xorg vt1 -displayfd 3 -auth /run/user/131/gdm/Xauthority -background none -noreset -keeptty -verbose 3
Debian-+ 1813 0.0 0.6 574068 15244 tty1 Sl+ Jul30 0:00 /usr/lib/gnome-session/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart
root 2001 0.0 0.3 169268 8800 ? Sl Jul30 0:00 gdm-session-worker [pam/gdm-password]
simon1 2018 0.0 0.2 241028 7400 ? Sl Jul30 0:00 /usr/bin/gnome-keyring-daemon --daemonize --login
simon1 2022 0.0 0.2 166732 6088 tty3 Ssl+ Jul30 0:00 /usr/lib/gdm3/gdm-x-session --run-script /usr/bin/gnome-session
simon1 2024 0.0 1.9 363808 48732 tty3 Sl+ Jul30 0:05 /usr/lib/xorg/Xorg vt3 -displayfd 3 -auth /run/user/1001/gdm/Xauthority -background none -noreset -keeptty -verbose 3
root 3140 0.0 0.0 6012 888 pts/0 S+ 03:04 0:01 grep -e gnome-keyring -e gdm
Write the current behavior and/or screenshot
Write the expected behavior and/or screenshot
Write a description
Target OS info
cat /etc/issue
Write the expected behavior and/or screenshot
if you know how to do it, please explain the steps. This would help use to speed up adding this feature
Shellcheck is complaining:
In mimipenguin.sh line 124:
export RESULTS="$RESULTS[HIGH]$4 $line\n"
^-- SC1087 (error): Use braces when expanding arrays, e.g. ${array[idx]} (or ${var}[.. to quiet).
In mimipenguin.sh line 127:
export RESULTS="$RESULTS[LOW]$4 $line\n"
^-- SC1087 (error): Use braces when expanding arrays, e.g. ${array[idx]} (or ${var}[.. to quiet).
For more information:
https://www.shellcheck.net/wiki/SC1087 -- Use braces when expanding arrays,...
shellcheck
should not find any error.
No results for Linux Mint 18 Cinnamon kernel 4.4.0-72 x86_64.
./mimipenguin.sh: linha 209: strings: command not found
./mimipenguin.sh: linha 211: strings: command not found
MimiPenguin Results:
Hello!
I believe the repository needs issue template as documented here.
Something like
Hi, thank you for reporting issues to us.
Tip: If you're reporting a bug, remove the feature request section for your convenience.
## Bug report
Write a description
#### Information
Target OS info
- run `cat /etc/issue`
- run `ps aux | grep -e "gnome-keyring" -e gdm`
### Current behavior
Write the current behavior and/or screenshot
### Expected behavior
Write the expected behavior and/or screenshot
## Feature request
Write a description
#### Information
Target OS info
- run `cat /etc/issue`
### Expected behavior
Write the expected behavior and/or screenshot
### Reproduce Steps
if you know how to do it, please explain the steps. This would help use to speed up adding this feature
Write a description
Target OS info
-run cat /etc/issue
-run cat /etc/lsb-release
-run ps aux | grep -e "gnome-keyring" -e gdm
foo 1529 0.0 0.1 206580 15896 ? Sl 09:46 0:00 /usr/bin/gnome-keyring-daemon --daemonize --login
root 16087 0.0 0.0 15444 2768 pts/7 S+ 17:41 0:00 grep --color=auto -e gnome-keyring -e gdm
Empty result
User passwords
Hello guys,
I'd like to ask, is the bash version going to be removed or you will allow the bash version to be written in many languages?
If you'll allow being written in many languages (which will be awesome), I can contribute with a Ruby version.
And we can do a todo list or table of features of what we want to achieve so all scripts will have a road map to work in, all are on the same page.
Feature | .sh | .py | .rb | .go | .xy |
---|---|---|---|---|---|
Kali Desktop Password | X | X | X | ||
Ubuntu Desktop Password | X | X | X | ||
Vsftpd Password | X | X | X | ||
SSH Password | X | X | X | X | X |
Apache Password | X | X | X | X | |
KDE password | X |
The program looks interesting, but there is no license on it. Can you add one?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.