Disclaimer: This material is provided for educational purposes and authorized security testing only. You are solely responsible for how you use the information. Do not use these techniques on systems without explicit permission from the owner. We do not encourage any kind of illegal or harmful activity

1. search for files that contain the string “passw” and “pwd” across the entire filesystem
   

   grep --color=auto -rnw '/' -iIe "PASS\|PASSW\|PASSWD\|PASSWORD\|PWD" --color=always 2>/dev/null
   

2. navigate to common folders where we normally find interesting files, such as /var/www, /tmp, /opt, /home.
   

   grep --color=auto -rnw -iIe "PASSW\|PASSWD\|PASSWORD\|PWD" --color=always 2>/dev/null
   

3. search for configuration files

   for l in $(echo ".conf .config .cnf"); do echo -e "\nFile extension: $l"; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core"; done
   

4. extract credentials from configuration files

   for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib"); do echo -e "\nFile: $i"; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#"; done
   

5. Searches for all files that end with _history
   

   find / -name *_history -xdev 2> /dev/null 
   

6. search for database files

   for l in $(echo ".sql .db .*db .db*"); do echo -e "\nDB File extension: $l"; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man"; done
   

7. search for common file types used with scripts.
   

   for l in $(echo ".py .pyc .pl .go .jar .c .sh"); do echo -e "\nFile extension: $l"; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share"; done
   

8. search for various document file types, excluding certain directories

   for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*"); do echo -e "\nFile extension: $ext"; find / -name *$ext 2>/dev/null | grep -v "lib\|fonts\|share\|core"; done
   

9. search logs for sensitive data
   

   for i in $(ls /var/log/* 2>/dev/null); do GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null); if [[ $GREP ]]; then echo -e "\n#### Log file: $i"; grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null; fi; done
   

10. credentials stored in memory
    

    strings /dev/mem -n10 | grep -ie "PASSWORD\|PASSWD" --color=always
    

11. search for notes that may contain credentials.
    

    find /home/* \( -type f -name "*.txt" -o -type f ! -name "*.*" \)
    

12. search for the string "password=" in all files (case-insensitive)
    

    grep --color=auto -rnw '/' -ie "PASSWORD=" --color=always 2>/dev/null
    

13. scripts often contain hardcoded credentials.
    

    for l in $(echo ".py .pyc .pl .go .jar .c .sh"); do echo -e "\nFile extension: $l"; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share"; done
    

14. Search the filesystem for files named authorized_keys:
    

    find / -name authorized_keys 2> /dev/null
    

15. search the filesystem for key terms PRIVATE KEY to discover SSH keys
    

    grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"
    

16. search for the keywords PRIVATE KEY within files contained in a user's home directory.

    grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1"