huntergregal / mimipenguin Goto Github PK

Bug report

Write a description

kali:/root/mimipenguin# ./mimipenguin
[+] GNOME KEYRING (928)
[-] gnome-keyring-daemon version not supported
[!] ERROR: dumping passwords from keyring
[+] GNOME KEYRING (2018)
[-] gnome-keyring-daemon version not support

Information

Target OS info

• run cat /etc/issue
• run ps aux | grep -e "gnome-keyring" -e gdm

kali:/root# cat /etc/issue
Kali GNU/Linux Rolling \n \l
kali:/root# date
Wed 31 Jul 2019 03:03:58 AM EDT

kali:/root# ps aux | grep -e "gnome-keyring" -e gdm
root 832 0.0 0.3 244584 9076 ? Ssl Jul30 0:00 /usr/sbin/gdm3
root 864 0.0 0.3 169304 9060 ? Sl Jul30 0:00 gdm-session-worker [pam/gdm-autologin]
root 928 0.0 0.2 240996 6888 ? Sl Jul30 0:00 /usr/bin/gnome-keyring-daemon --daemonize --login
root 976 0.0 0.2 166732 6192 tty2 Ssl+ Jul30 0:00 /usr/lib/gdm3/gdm-x-session --run-script /usr/bin/gnome-session
root 978 0.0 2.1 368076 53268 tty2 Sl+ Jul30 0:02 /usr/lib/xorg/Xorg vt2 -displayfd 3 -auth /run/user/0/gdm/Xauthority -background none -noreset -keeptty -verbose 3
root 1786 0.0 0.3 169208 8684 ? Sl Jul30 0:00 gdm-session-worker [pam/gdm-launch-environment]
Debian-+ 1802 0.0 0.2 166736 6092 tty1 Ssl+ Jul30 0:00 /usr/lib/gdm3/gdm-x-session gnome-session --autostart /usr/share/gdm/greeter/autostart
Debian-+ 1804 0.0 1.9 363356 48620 tty1 Sl+ Jul30 0:00 /usr/lib/xorg/Xorg vt1 -displayfd 3 -auth /run/user/131/gdm/Xauthority -background none -noreset -keeptty -verbose 3
Debian-+ 1813 0.0 0.6 574068 15244 tty1 Sl+ Jul30 0:00 /usr/lib/gnome-session/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart
root 2001 0.0 0.3 169268 8800 ? Sl Jul30 0:00 gdm-session-worker [pam/gdm-password]
simon1 2018 0.0 0.2 241028 7400 ? Sl Jul30 0:00 /usr/bin/gnome-keyring-daemon --daemonize --login
simon1 2022 0.0 0.2 166732 6088 tty3 Ssl+ Jul30 0:00 /usr/lib/gdm3/gdm-x-session --run-script /usr/bin/gnome-session
simon1 2024 0.0 1.9 363808 48732 tty3 Sl+ Jul30 0:05 /usr/lib/xorg/Xorg vt3 -displayfd 3 -auth /run/user/1001/gdm/Xauthority -background none -noreset -keeptty -verbose 3
root 3140 0.0 0.0 6012 888 pts/0 S+ 03:04 0:01 grep -e gnome-keyring -e gdm

Current behavior

Write the current behavior and/or screenshot

Expected behavior

Write the expected behavior and/or screenshot

Feature request

Write a description

Information

Target OS info

• run cat /etc/issue

Expected behavior

Write the expected behavior and/or screenshot

Reproduce Steps

if you know how to do it, please explain the steps. This would help use to speed up adding this feature

• confirm we support it
• if not, determine why - see if update is possible

Bug report

Using mimipenguin.sh (beta-1.0 branch), the password is not extracted from gnome-keyring on Ubuntu 10.04.4.

# ./mimipenguin.sh 
MimiPenguin Results:

Information

Target OS info

$ cat /etc/issue
Ubuntu 10.04.4 LTS \n \l

$ ps aux | grep -e "gnome-keyring" -e gdm
root       790  0.0  0.3  83100  3664 ?        Ssl  Jul06   0:00 gdm-binary
root      5897  0.0  0.4  93500  4240 ?        Sl   00:53   0:00 /usr/lib/gdm/gdm-simple-slave --display-id /org/gnome/DisplayManager/Display1
root      5899  0.8  2.4 117160 24748 tty8     Ss+  00:53   0:01 /usr/bin/X :0 -br -verbose -auth /var/run/gdm/auth-for-gdm-qr9uET/database -nolisten tcp
gdm       5919  0.0  0.0  26260   820 ?        S    00:53   0:00 /usr/bin/dbus-launch --exit-with-session
root      5939  0.0  0.3  97320  3420 ?        Sl   00:53   0:00 /usr/lib/gdm/gdm-session-worker
user      5954  0.0  0.4  69632  4172 ?        Sl   00:53   0:00 /usr/bin/gnome-keyring-daemon --daemonize --login
user      6486  0.0  0.1   7628  1028 pts/1    S+   00:55   0:00 grep --color=auto -e gnome-keyring -e gdm

The program looks interesting, but there is no license on it. Can you add one?

./mimipenguin.sh: line 59: python2: command not found

Looks like python2 needs to be added to the requirements list.

You might want to consider porting to python 3. https://pythonclock.org/

Bug report

Write a description
When i try to execute the mimipenguin.sh script it throws the following syntax error

./mimipenguin.sh
./mimipenguin.sh: line 37: syntax error near unexpected token `<<<'
./mimipenguin.sh: line 37: `	done <<< "$mem_maps"'

Information

Target OS info

cat /etc/issue
Red Hat Linux release 7.3 (Valhalla)
Kernel \r on an \m

strings: '/tmp/apache*': No such file

Hey @huntergregal,

my coworker and I were taking at look at your script and it appears not to be working on Debian server. This is due to the fact that gcore is not installed by default. There are some ways to dump a process memory to a file using only shell (see this StackExchange). However, it could be easier to do this in Python.

We wanted to do a pull request to modify the dumping process, so that you don't have to rely on gcore anymore. However, we're not sure on how to do it:

• We could do it in pure shell, since your script is a shell script
• We could write it in Python, since you already have Python as a dependency to compute the hashes

But if we write it in Python, it might make more sense to rewrite your whole script in Python. Since it's an important decision, we wanted to let it up to you. In any case, we'd be happy to help improve it. Let us know your decision.

Thanks for this awesome tool!

Cheers,

Y

Ubuntu 16.04.2 LTS \n \l

root 9107 0.0 0.1 12944 1088 pts/1 S+ 08:15 0:00 grep --color=auto -e gnome-keyring -e gdm

error:strings: '/tmp/apache*': No such file

I try to run sh file with this command : sh 1.sh But I got these errors

1.sh: line 2: 
: command not found
1.sh: line 6: 
: command not found
1.sh: line 19: syntax error near unexpected token `{
'
1.sh: line 19: `function dump_pid () {
'

OS Version : Red Hat Enterprise Linux Server release 5.7
Bash Version : GNU bash, version 3.2.25(1)-release (x86_64-redhat-linux-gnu)

Also there is no python3 installed on the server , Is there any python2 version of mimipenguin?

Hello!
I believe the repository needs issue template as documented here.

Something like

Hi, thank you for reporting issues to us. 
Tip: If you're reporting a bug, remove the feature request section for your convenience. 

## Bug report

Write a description 

#### Information
Target OS info
- run `cat /etc/issue`
- run `ps aux | grep -e "gnome-keyring" -e gdm`

### Current behavior 
Write the current behavior and/or screenshot

### Expected behavior 
Write the expected behavior and/or screenshot

## Feature request
Write a description 
#### Information
Target OS info
- run `cat /etc/issue`

### Expected behavior 
Write the expected behavior and/or screenshot

### Reproduce Steps
if you know how to do it, please explain the steps. This would help use to speed up adding this feature 

Feature request

As this script getting more attentions, each plugin has its own way and could need some research, of course.
The idea is, we create a wiki for each feature to explain the main issue and how to reproduce it manually. So, people who try to add or use these feature they will have a good understanding to build the same script with another language and add more features for existing scripts.

Expected behavior

To have something like knowledge base that explains each plugin/feature (not code) of mimipenguin

Reproduce Steps

To dump Linux memory for a specific process to disk, we need the following:

Gdm

1. Get process id (PID): /proc/[PID]/cmdline
   cmdline is file holds the complete command line for the process.
2. Get PID maps: /proc/[PID]/maps
   maps is file containing the currently mapped memory regions and their access permissions.
3. Get processes memory pages: /proc/[PID]/mem
   mem is a file can be used to access the pages of a process's memory through

search for ^.+libgck\-1\.so\.0$ in memory dump

Great work on this! Any chance of working in a RedHat component?

Hi I tested it on kali as root account It works right.. But it fails when I was a normal user (had sudo privileges , tested on kali ) It reported no /tmp/dump file.

BR

hey nice project .. but i am hitting with an invalid syntax

Tried on :
Linux Mint 17.2 Cinnamon

thanks :)

Hello guys,

I'd like to ask, is the bash version going to be removed or you will allow the bash version to be written in many languages?

If you'll allow being written in many languages (which will be awesome), I can contribute with a Ruby version.
And we can do a todo list or table of features of what we want to achieve so all scripts will have a road map to work in, all are on the same page.

09:18 abourgouin@Atuin /dev/mimipenguin(master) $ cat /proc/version
Linux version 4.4.0-72-generic (buildd@lcy01-24) (gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu114.04.3) ) #93~14.04.1-Ubuntu SMP Fri Mar 31 15:05:15 UTC 2017

Here the result of running command :
https://pastebin.com/9MG3Ur4L

No results on Kali with gnome-keyring-daemon version 3.28.2 using mimipenguin

root@kali:~/Desktop/mimipenguin# gnome-keyring-daemon -V
gnome-keyring-daemon: 3.28.2
testing: enabled

I use it on Centos release 6.7, and the server is VPS.

Process like this:

[root@OpenVZVPS-2016815796 mimipenguin]# cat /etc/issue
CentOS release 6.7 (Final)
Kernel \r on an \m

then i execute ./mimipenguin.sh，but without any results.
[root@OpenVZVPS-2016815796 mimipenguin]# ls
LICENSE README.md mimipenguin.py mimipenguin.sh
[root@OpenVZVPS-2016815796 mimipenguin]# ./mimipenguin.sh
MimiPenguin Results:

So I can't get user's login password.

No results for Linux Mint 18 Cinnamon kernel 4.4.0-72 x86_64.

Does it work?
On 16.04:

$ sudo ./mimipenguin.sh 
strings: '/tmp/dump.': No such file
strings: '/tmp/dump.': No such file
strings: '/tmp/dump.': No such file
MimiPenguin Results:
$

On ubuntu 14.04.

$ sudo bin/mimipenguin.sh 
strings: '/tmp/dump.': No such file
strings: '/tmp/dump.': No such file
strings: '/tmp/dump.': No such file
strings: '/tmp/sshd.14181 20491': No such file
strings: '/tmp/sshd.14181 20491': No such file
MimiPenguin Results:
$

No results. Appears there are more dependencies than listed or that all the leak methods don't work on patched systems.
Also tried it on an apache server running about 5 different vhosts. No joy.

Information

mimipenguin.sh from 47dba4b run on a rather out of date Ubuntu 14.04.4 VM.

The strings dump of the process contains the cleartext password, but it is not near any of the current needles. Based on the what the other needles are looking for, I expect adding /lib/x86_64-linux-gnu/libdbus-1.so.3 may be the solution. Relevant excerpt from the dump (the password is notpassword):

...
@ 6s
libglib-2.0.so.0
/lib/x86_64-linux-gnu
libglib-2.0.so.0
/lib/x86_64-linux-gnu/libdbus-1.so.3
W9>^y
notpassword
notpassword
notpassword
notpassword
...

Current behavior

No results are found

Expected behavior

The password is found

No results on ZorinOS with gnome-keyring-daemon version 3.18.3 using mimipenguin

Bug report

Shellcheck is complaining:

In mimipenguin.sh line 124:
        export RESULTS="$RESULTS[HIGH]$4            $line\n"
                        ^-- SC1087 (error): Use braces when expanding arrays, e.g. ${array[idx]} (or ${var}[.. to quiet).


In mimipenguin.sh line 127:
            export RESULTS="$RESULTS[LOW]$4         $line\n"
                            ^-- SC1087 (error): Use braces when expanding arrays, e.g. ${array[idx]} (or ${var}[.. to quiet).

For more information:
  https://www.shellcheck.net/wiki/SC1087 -- Use braces when expanding arrays,...

Expected behavior

shellcheck should not find any error.

./mimipenguin.sh: linha 209: strings: command not found
./mimipenguin.sh: linha 211: strings: command not found
MimiPenguin Results:

I run sudo su to get root administration. Then I run the script ./mimipenguin.
But I got the result like this.

00400000-004e9000
006e9000-006f4000
006f4000-006f8000
006f8000-006f9000
01009000-0102a000
0102a000-0146f000
7fcb00000000-7fcb00022000
7fcb08000000-7fcb08021000
7fcb0cced000-7fcb0d4ed000
7fcb0d4ee000-7fcb0dcee000
7fcb0dcef000-7fcb0e4ef000
7fcb0e4ef000-7fcb0e97a000
7fcb0e97a000-7fcb0e97d000
7fcb0eb7c000-7fcb0eb7d000
7fcb0eb7d000-7fcb0eb7e000
7fcb0eb7e000-7fcb0eb90000
7fcb0ed90000-7fcb0ed91000
7fcb0ed91000-7fcb0ed92000
7fcb0ed92000-7fcb0ee00000
7fcb0f000000-7fcb0f001000
7fcb0f001000-7fcb0f002000
7fcb0f002000-7fcb0f009000
7fcb0f208000-7fcb0f209000
7fcb0f209000-7fcb0f20a000
7fcb0f20a000-7fcb0f221000
7fcb0f421000-7fcb0f422000
7fcb0f422000-7fcb0f423000
7fcb0f423000-7fcb0f425000
7fcb0f425000-7fcb0f444000
7fcb0f643000-7fcb0f644000
7fcb0f644000-7fcb0f645000
7fcb0f645000-7fcb0f647000
7fcb0f647000-7fcb0f660000
7fcb0f85f000-7fcb0f860000
7fcb0f860000-7fcb0f861000
7fcb0f861000-7fcb0f864000
7fcb0fa63000-7fcb0fa64000
7fcb0fa64000-7fcb0fa65000
7fcb0fa65000-7fcb0fabe000
7fcb0fcbd000-7fcb0fcc7000
7fcb0fcc7000-7fcb0fcc9000
7fcb0fcc9000-7fcb0fe88000
7fcb10088000-7fcb1008c000
7fcb1008c000-7fcb1008e000
7fcb1008e000-7fcb10092000
7fcb10092000-7fcb100aa000
7fcb102a9000-7fcb102aa000
7fcb102aa000-7fcb102ab000
7fcb102ab000-7fcb102af000
7fcb102af000-7fcb102b3000
7fcb104b2000-7fcb104b3000
7fcb104b3000-7fcb104b4000
7fcb104b4000-7fcb1058c000
7fcb1078b000-7fcb1078c000
7fcb1078c000-7fcb10794000
7fcb10794000-7fcb10795000
7fcb10795000-7fcb108a4000
7fcb10aa3000-7fcb10aa4000
7fcb10aa4000-7fcb10aa5000
7fcb10aa5000-7fcb10aa6000
7fcb10aa6000-7fcb10af8000
7fcb10cf7000-7fcb10cf8000
7fcb10cf8000-7fcb10cf9000
7fcb10cf9000-7fcb10e79000
7fcb11079000-7fcb1107d000
7fcb1107d000-7fcb1107f000
7fcb1107f000-7fcb11081000
7fcb11081000-7fcb110b3000
7fcb112b2000-7fcb112b3000
7fcb112b3000-7fcb112b4000
7fcb112b4000-7fcb1133e000
7fcb1153d000-7fcb11547000
7fcb11547000-7fcb11549000
7fcb11549000-7fcb1154a000
7fcb1154a000-7fcb11570000
7fcb116d3000-7fcb11745000
7fcb11745000-7fcb1174f000
7fcb11765000-7fcb11767000
7fcb11767000-7fcb1176b000
7fcb1176b000-7fcb1176f000
7fcb1176f000-7fcb11770000
7fcb11770000-7fcb11771000
7fcb11771000-7fcb11772000
7ffc2523f000-7ffc25260000
7ffc253d9000-7ffc253db000
7ffc253db000-7ffc253dd000
ffffffffff600000-ffffffffff601000
MimiPenguin Results:

Linux Mint 18 - gnome-keyring-daemon version 3.18.3

mint-18 mimipenguin # ./mimipenguin
  [!] ERROR: getting line - Success
  [!] Error getting user for pid
Segmentation fault

mimipenguin.sh and mimipenguin.py return no results.

Bug report

If more than 1 user have the same password - only finds the first user.

Tested on Centos 8 VM from osboxes.org

Bug report

Write a description

Information

Target OS info
-run cat /etc/issue

• Ubuntu 16.04.2 LTS

-run cat /etc/lsb-release

• DISTRIB_ID=Ubuntu
• DISTRIB_RELEASE=16.04
• DISTRIB_CODENAME=xenial
• DISTRIB_DESCRIPTION="Ubuntu 16.04.2 LTS"

-run ps aux | grep -e "gnome-keyring" -e gdm
foo 1529 0.0 0.1 206580 15896 ? Sl 09:46 0:00 /usr/bin/gnome-keyring-daemon --daemonize --login
root 16087 0.0 0.0 15444 2768 pts/7 S+ 17:41 0:00 grep --color=auto -e gnome-keyring -e gdm

Current behavior

Empty result

Expected behavior

User passwords

On Ubuntu 16.04, x64:

I am able to properly extract the passwords from memory when a singular user is logged in. However, if multiple users are logged in, the script is unable to detect anything.

4296': No such file
strings: '/tmp/dump.1722
4296': No such file
strings: '/tmp/dump.1722
4296': No such file
MimiPenguin Results: