Mimipenguin is a free and open source, simple yet powerful tool developed by Hunter Gregal, which can be used to dump the login credentials (usernames and passwords) from the current Linux desktop user and it has been tested on various Linux distributions.
Mimipenguin supports applications such as: VSFTPd (active FTP client connections), Apache2 (active/old HTTP BASIC AUTH sessions but this requires Gcore) and openssh-server (active SSH connections with sudo command usage).
Even more importantly, it is currently being ported to numerous languages to support all imaginable post-exploit situations.
To understand how mimipenguin works, you need to keep in mind that all if not most Linux distributions store a great deal of such critical information as: credentials, encryption keys, as well as personal data in memory.
Mimipenguin is adapted from the idea behind the popular Windows tool mimikatz.
Particularly usernames and passwords are held by processes (running programs) in memory and stored as plain text for relatively long periods of time.
Mimipenguin technically exploits these clear-text credentials in memory – it dumps a process and extracts lines that have a likelihood of accommodating clear-text credentials.
It then tries to perform a calculation of each word’s probability of being present by determining hashes in: /etc/shadow, memory, and regex searches. Once it finds any, it prints them on standard output.
Installing Mimipenguin in Linux Systems
Mimipenguin is currently hosted on github and can be installed by cloning the git repo from github. In this example, we will be cloning the repo into the /opt directory and running it from there like in the code snippet below.
# cd /opt # git clone https://github.com/huntergregal/mimipenguin.git
Once you have downloaded the directory, move into it and run mimipenguin as follows:
# cd mimipenguin/ # ./mimipenguin.sh
Below is a screenshot of the output of the command when run successfully: