• Stars
    star
    3,500
  • Rank 12,713 (Top 0.3 %)
  • Language
    C
  • License
    Other
  • Created over 7 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A tool to dump the login password from the current linux user

MimiPenguin 2.0

A tool to dump the login password from the current linux desktop user. Adapted from the idea behind the popular Windows tool mimikatz. This was assigned CVE-2018-20781 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781). Fun fact it's still not fixed after GNOME Keyring 3.27.2 and still works as of 3.28.0.2-1ubuntu1.18.04.1.

alt text

Details

Takes advantage of cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. Will attempt to calculate each word's probability by checking hashes in /etc/shadow, hashes in memory, and regex searches. 2.0 introduces a clean C port that aims to increase the speed of execution and portability

Known Issues

  • The 32bit variant of mimipenguin (C build) may fail in a 64bit userspace as it currently does not adequatley handle searching a 64bit address space

Requires

  • root permissions

Supported/Tested Systems

  • Kali 4.3.0 (rolling) x64 (gdm3)
  • Ubuntu Desktop 12.04 LTS x64 (Gnome Keyring 3.18.3-0ubuntu2)
  • Ubuntu Desktop 14.04.1 LTS x64 (Gnome Keyring 3.10.1-1ubuntu4.3, LightDM 1.10.6-0ubuntu1)
  • Ubuntu Desktop 16.04 LTS x64 (Gnome Keyring 3.18.3-0ubuntu2)
  • Ubuntu Desktop 16.04.4 LTS x64 (Gnome Keyring 3.18.3-0ubuntu2, LightDM 1.18.3-0ubuntu1.1)
  • Ubuntu 18
  • XUbuntu Desktop 16.04 x64 (Gnome Keyring 3.18.3-0ubuntu2)
  • Archlinux x64 Gnome 3 (Gnome Keyring 3.20)
  • OpenSUSE Leap 42.2 x64 (Gnome Keyring 3.20)
  • VSFTPd 3.0.3-8+b1 (Active FTP client connections)
  • Apache2 2.4.25-3 (Active/Old HTTP BASIC AUTH Sessions) [Gcore dependency]
  • openssh-server 1:7.3p1-1 (Active SSH connections - sudo usage)

Building

  • To Build the C variant release simply run make in the root directory of the project
  • To build a debug binary with debug prints run make debug
  • To build a static linked binaries run make static

Notes

  • Password moves in memory - still honing in on 100% effectiveness
  • Plan on expanding support and other credential locations
  • Working on expanding to non-desktop environments
  • Known bug - sometimes gcore hangs the script, this is a problem with gcore
  • Open to pull requests and community research
  • LDAP research (nscld winbind etc) planned for future

Development Roadmap

  • Implement needles in C port (speed up)
  • Add optional arg to target specific users only (speed up)

MimiPenguin is slowly being ported to multiple languages to support all possible post-exploit scenarios. The roadmap below was suggested by KINGSABRI to track the various versions and features. An "X" denotes full support while a "~" denotes a feature with known bugs.

Feature .sh .py
GDM password (Kali Desktop, Debian Desktop) ~ X
Gnome Keyring (Ubuntu Desktop, ArchLinux Desktop) ~ X
LightDM (Ubuntu Desktop) X X
VSFTPd (Active FTP Connections) X X
Apache2 (Active HTTP Basic Auth Sessions) ~ ~
OpenSSH (Active SSH Sessions - Sudo Usage) ~ ~

Contact

Licence

CC BY 4.0 licence - https://creativecommons.org/licenses/by/4.0/

Special Thanks

  • the-useless-one for remove Gcore as a dependency, cleaning up tabs, adding output option, and a full python3 port
  • gentilkiwi for Mimikatz, the inspiration and the twitter shoutout
  • pugilist for cleaning up PID extraction and testing
  • ianmiell for cleaning up some of my messy code
  • w0rm for identifying printf error when special chars are involved
  • benichmt1 for identifying multiple authenticate users issue
  • ChaitanyaHaritash for identifying special char edge case issues
  • ImAWizardLizard for cleaning up the pattern matches with a for loop
  • coreb1t for python3 checks, arch support, other fixes
  • n1nj4sec for a python2 port and support
  • KINGSABRI for the Roadmap proposal
  • bourgouinadrien for linking https://github.com/koalaman/shellcheck
  • bcoles for adding more needles
  • space-r7 and bcoles for work on the Metasploit MimiPenguin module port

More Repositories

1

PNG-IDAT-Payload-Generator

Generate a PNG with a payload embedded in the IDAT chunk (Based off of previous concepts and code -- credit in README)
Python
171
star
2

scansploit

Exploit using barcodes, QRcodes, earn13, datamatrix
Python
108
star
3

botHunter

Scans the internet for open FTP servers looking for common malware bot droppers and grabs them for sampling. Also provides support for uploading samples to VirusTotal
Python
48
star
4

wordlists

Common Wordlists
47
star
5

tools

Some useful tools and scripts
PowerShell
41
star
6

malwareSandbox

A ready to deploy docker container for a fresh sandbox for on-the-fly malware analysis
Shell
40
star
7

dir_list

A wordlist for brute forcing directories / files
11
star
8

huntergregal

My website
CSS
6
star
9

buttnet

A simple IRC Botnet for linux-based targets
PHP
4
star
10

litterrobot_firmware

firmwares for litter robots
4
star
11

tinderception

Intercept Tinder photos
Python
3
star
12

practice

various practices programs, vulnerable stuffs, etc
C
3
star
13

pyTunnel

A customizable tunnel between two clients on two separate sockets. Authentication support TBD.
Python
2
star
14

YakTrack

Can be used to geolocate Yik Yaks in a given area
Python
2
star
15

pycrawl

Python Web Crawler
Python
2
star
16

Swag

Source code for Swag package
Python
1
star
17

brje_gamewheel

Bundle for Racial Justice and Equality (brje) Game Wheel
Python
1
star
18

Shodan-Client

A Shodan API client written in Python.
Python
1
star
19

DigitalOceanManager

Used to manage digital ocean droplets
Python
1
star
20

CVE

Collection of CVE details
1
star
21

writeups

CTF and challenge writeups
JavaScript
1
star
22

myGet

A Python version of wget. Written for NET320 class assignment.
Python
1
star