Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/sevagas/swap_digger

swap_digger is a tool used to automate Linux swap analysis during post-exploitation or forensics. It automates swap extraction and searches for Linux user credentials, web forms credentials, web forms emails, http basic authentication, Wifi SSID and keys, etc.
https://github.com/sevagas/swap_digger

dfir forensics hacking post-exploitation security

Last synced: about 2 months ago
JSON representation

Host: GitHub
URL: https://github.com/sevagas/swap_digger
Owner: sevagas
License: gpl-3.0
Created: 2017-07-11T15:39:47.000Z (about 7 years ago)
Default Branch: master
Last Pushed: 2021-06-26T13:33:55.000Z (about 3 years ago)
Last Synced: 2024-02-14T20:34:56.680Z (7 months ago)
Topics: dfir, forensics, hacking, post-exploitation, security
Language: Shell
Homepage: http://blog.sevagas.com/?Digging-passwords-in-Linux-swap
Size: 354 KB
Stars: 494
Watchers: 28
Forks: 96
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

ForensicsTools - swap_digger - A bash script used to automate Linux swap analysis, automating swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, etc. (Challenges / Carving)
awesome-forensics - swap_digger - A bash script used to automate Linux swap analysis, automating swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, etc. (Tools / Carving)
awesome-anti-forensic - Swap-digger - exploitation or forensics. (Tools / Analysis / Gathering tool (Know your ennemies))
Awesome-Forensics - swap_digger - A bash script used to automate Linux swap analysis, automating swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, etc. (Tools / Carving)

README

![Bash version](https://img.shields.io/badge/Bash-4-brightgreen.svg) ![License](https://img.shields.io/badge/License-GPLv3-blue.svg)

# swap\_digger

swap\_digger is a bash script used to automate Linux swap analysis for
post-exploitation or forensics purpose. It automates swap extraction and
searches for Linux user credentials, Web form credentials, Web form emails,
HTTP basic authentication, WiFi SSID and keys, etc.

![Sample run](/assets/swap_digger.png?raw=true "Sample run")

## Download and run the tool

### On your machine

Use the following commands to download and run the script on your machine:

```bash
git clone https://github.com/sevagas/swap_digger.git
cd swap_digger
chmod +x swap_digger.sh
sudo ./swap_digger.sh -vx
```

![Extended run](/assets/swap_digger_extended.png?raw=true "Extended run")

### On a mounted hard drive

To use swap\_digger on a mounted hard drive, do the following:

First, download the script using the following commands:
```bash
git clone https://github.com/sevagas/swap_digger.git
cd swap_digger
chmod +x swap_digger.sh
```

Then, find the target swap file/partition with:
```bash
sudo ./swap_digger.sh -S
```

Finally, analyze the target by running:
```bash
sudo ./swap_digger.sh -vx -r path/to/mounted/target/root/fs -s path/to/target/swap/device
```

### On a third party machine

Use the following commands to download and run the script on a third party machine (useful for pentests and CTFs):

```bash
wget https://raw.githubusercontent.com/sevagas/swap_digger/master/swap_digger.sh
chmod +x swap_digger.sh
sudo ./swap_digger.sh -vx -c
```

Note: Use the `-c` option to automatically remove the directory created by swap\_digger (`/tmp/swap_dig`).

## Simple run

If you only need to recover clear text Linux user passwords, simply run:
```bash
sudo ./swap_digger.sh
```

## Available options

All options:
```
./swap_digger.sh [ OPTIONS ]
Options :
-x, --extended Run Extended tests on the target swap to retrieve other interesting data
(web passwords, emails, wifi creds, most accessed urls, etc)
-g, --guessing Try to guess potential passwords based on observations and stats
Warning: This option is not reliable, it may dig more passwords as well as hundreds false positives.
-h, --help Display this help.
-v, --verbose Verbose mode.
-l, --log Log all outputs in a log file (protected inside the generated working directory).
-c, --clean Automatically erase the generated working directory at end of script (will also remove log file)
-r PATH, --root-path=PATH Location of the target file-system root (default value is /)
Change this value for forensic analysis when target is a mounted file system.
This option has to be used along the -s option to indicate path to swap device.
-s PATH, --swap-path=PATH Location of swap device or swap dump to analyse
Use this option for forensic/remote analysis of a swap dump or a mounted external swap partition.
This option should be used with the -r option where at least //etc/shadow exists.
-S, --swap-search Search for all available swap devices (use for forensics).
```

## Relevant resources

Blog posts about swap digging:
- https://blog.sevagas.com/?Digging-passwords-in-Linux-swap

## Contact

Feel free to message me on my Twitter account [@EmericNasi](http://twitter.com/EmericNasi)

## License and credits

[The GNU General Public License version 3](https://opensource.org/licenses/GPL-3.0)