Master Linux Password Hunting: From File Names to Hash Cracking with Hashcat & John

0. Introduction

We explore practical techniques for hunting passwords on a target Linux machine to gain or elevate privileges. The article reviews common password storage locations, demonstrates manual discovery methods, and uses Hashcat and John to crack found hashes. An automated tool (LinPEAS) is evaluated at the end.

1. Password Search – File Names and File Contents

Start with a broad find command that lists every file whose name contains "passw" or "pwd" across the entire filesystem:

find / -exec ls -lad $PWD/* "{}" 2>/dev/null \; | grep -i -I "passw\|pwd"

Alternatively, use the fast locate utility:

locate 'passw'
locate 'pwd'
locate '*.php'

Both approaches generate many results; reviewing them can reveal juicy files that actually contain passwords.

For deeper content inspection, employ grep to search all files for password‑related strings:

grep --color=auto -rnw '/' -iIe "PASSW\|PASSWD\|PASSWORD\|PWD" --color=always 2>/dev/null

Limit the search to specific directories such as /var/www, /tmp, /opt, or /home for faster results.

2. Password Search – Web Files / Config Files

Webroot directories ( /var/www) often contain configuration files with database credentials. Look for config.php or similarly named PHP files.

Example config.php may reveal clear‑text MySQL credentials:

# Example excerpt
root:SuperS3cureP@ssw0rd

Use these credentials to connect to MySQL: mysql -u root -p WebDav password files (e.g., passwd.dav) contain Apache‑specific MD5 hashes ( $apr1$…). Identify the associated user (e.g., devops) and crack the hash with Hashcat:

hashcat -h | grep '$apr'
hashcat -m 1600 ./webdav.hash /usr/share/wordlists/rockyou.txt -o cracked.dav

3. Password Search – Hidden Files / Folders

Hidden items start with a dot (e.g., .bash_history, .ssh, .important). List them with ls -la and explore: ls -la / In a hidden .important/.password file you might find a plain password such as Password123!.

Examine users' .bash_history files for commands that reveal credentials. For example, a user may have attempted to log into MySQL with the root password.

SSH private keys ( id_rsa) can be copied and used directly if they are unencrypted. If encrypted, convert them with ssh2john and crack with John:

ssh2john juggernaut_id_rsa > jugg.john
john jugg.john --wordlist=/usr/share/wordlists/rockyou.txt

After cracking, use the recovered passphrase to set proper permissions ( chmod 600) and SSH into the account.

4. Password Search – MySQL

With MySQL credentials, enumerate databases and tables:

show databases;
use mysql;
show tables;
select * from user;

Identify password hashes for users. For the MySQL root hash, verify it matches the known password using SELECT PASSWORD('SuperS3cureP@ssw0rd');. For other hashes (e.g., dev), extract the hash, remove the leading asterisk, and crack with Hashcat:

echo 'D37C49F9CBEFBF8B6F4B165AC703AA271E079004' > mysql.hash
hashcat -h | grep 'mysql'
hashcat -m 300 ./mysql.hash /usr/share/wordlists/rockyou.txt -o cracked.txt

Custom databases (e.g., web_app) may store MD5 or Base64‑encoded passwords. Identify hash types with hash-identifier and crack accordingly:

# MD5 cracking
hashcat -m 0 ./webapp.hash /usr/share/wordlists/rockyou.txt -o webapp_cracked.txt
# Base64 decoding
echo 'SXNoYWxsbjB0YmVjcmFja2VkIQo=' | base64 --decode

5. Password Search – /var/backups Folder

The /var/backups directory may contain SQLite databases or backup files. Use strings on binary files to extract embedded hashes: strings ./pwds.db Extract SHA‑512 hashes (prefixed with $6$) and crack with Hashcat using mode 1800:

hashcat -m 1800 ./shadow.hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou-75.txt -o shadow.cracked

6. Password Search – Password‑Protected Files

Identify archive files such as backup.rar in /opt. Transfer them via nc to the attacker machine, then attempt extraction. If password‑protected, convert the archive for John:

rar2john ./backup.rar > john_rar
john john_rar --wordlist=/usr/share/wordlists/rockyou.txt

John quickly recovers the password (e.g., DeVeLoPeR712), allowing extraction of the archive’s contents.

7. Automated Search – LinPEAS

Running ./linpeas.sh enumerates many of the same files and locations manually discovered. It highlights interesting files, extracts some passwords, and lists hidden directories, but it may miss certain items (e.g., specific hash files) and still produces noise, confirming that manual enumeration remains essential.

Overall, combining systematic manual searches with powerful cracking tools and automated enumerators like LinPEAS yields a comprehensive password‑hunting workflow on compromised Linux systems.