Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s.bash_historyfile. For each user, this file resides at the same location:~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)
Search through bash history for specifice commands we want to capture
Supported Platforms: Linux, macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | Path | ~/loot.txt |
| bash_history_grep_args | grep arguments that filter out specific commands we want to capture | Path | -e '-p ' -e 'pass' -e 'ssh' |
| bash_history_filename | Path of the bash history file to capture | Path | ~/.bash_history |
cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}