{
	"id": "6bc90300-1033-4125-b175-1b6517f3cbea",
	"created_at": "2026-04-06T01:32:16.06462Z",
	"updated_at": "2026-04-10T13:12:38.240945Z",
	"deleted_at": null,
	"sha1_hash": "5a726c2b69a7d3736fd47627029fad624697d9bb",
	"title": "GitHub - huntergregal/mimipenguin: A tool to dump the login password from the current linux user",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 140696,
	"plain_text": "GitHub - huntergregal/mimipenguin: A tool to dump the login\r\npassword from the current linux user\r\nBy huntergregal\r\nArchived: 2026-04-06 00:45:19 UTC\r\nA tool to dump the login password from the current linux desktop user. Adapted from the idea behind the popular\r\nWindows tool mimikatz. This was assigned CVE-2018-20781 (https://cve.mitre.org/cgi-bin/cvename.cgi?\r\nname=CVE-2018-20781). Fun fact it's still not fixed after GNOME Keyring 3.27.2 and still works as of\r\n3.28.0.2-1ubuntu1.18.04.1 .\r\nDetails\r\nTakes advantage of cleartext credentials in memory by dumping the process and extracting lines that have a high\r\nprobability of containing cleartext passwords. Will attempt to calculate each word's probability by checking\r\nhashes in /etc/shadow, hashes in memory, and regex searches. 2.0 introduces a clean C port that aims to increase\r\nthe speed of execution and portability\r\nKnown Issues\r\nThe 32bit variant of mimipenguin (C build) may fail in a 64bit userspace as it currently does not\r\nadequately handle searching a 64bit address space\r\nRequires\r\nroot permissions\r\nSupported/Tested Systems\r\nKali 4.3.0 (rolling) x64 (gdm3)\r\nUbuntu Desktop 12.04 LTS x64 (Gnome Keyring 3.18.3-0ubuntu2)\r\nhttps://github.com/huntergregal/mimipenguin\r\nPage 1 of 3\n\nUbuntu Desktop 14.04.1 LTS x64 (Gnome Keyring 3.10.1-1ubuntu4.3, LightDM 1.10.6-0ubuntu1)\r\nUbuntu Desktop 16.04 LTS x64 (Gnome Keyring 3.18.3-0ubuntu2)\r\nUbuntu Desktop 16.04.4 LTS x64 (Gnome Keyring 3.18.3-0ubuntu2, LightDM 1.18.3-0ubuntu1.1)\r\nUbuntu 18\r\nXUbuntu Desktop 16.04 x64 (Gnome Keyring 3.18.3-0ubuntu2)\r\nArchlinux x64 Gnome 3 (Gnome Keyring 3.20)\r\nOpenSUSE Leap 42.2 x64 (Gnome Keyring 3.20)\r\nVSFTPd 3.0.3-8+b1 (Active FTP client connections)\r\nApache2 2.4.25-3 (Active/Old HTTP BASIC AUTH Sessions) [Gcore dependency]\r\nopenssh-server 1:7.3p1-1 (Active SSH connections - sudo usage)\r\nBuilding\r\nTo Build the C variant release simply run make in the root directory of the project\r\nTo build a debug binary with debug prints run make debug\r\nTo build a static linked binaries run make static\r\nNotes\r\nPassword moves in memory - still honing in on 100% effectiveness\r\nPlan on expanding support and other credential locations\r\nWorking on expanding to non-desktop environments\r\nKnown bug - sometimes gcore hangs the script, this is a problem with gcore\r\nOpen to pull requests and community research\r\nLDAP research (nscld winbind etc) planned for future\r\nDevelopment Roadmap\r\nImplement needles in C port (speed up)\r\nAdd optional arg to target specific users only (speed up)\r\nMimiPenguin is slowly being ported to multiple languages to support all possible post-exploit scenarios. The\r\nroadmap below was suggested by KINGSABRI to track the various versions and features. An \"X\" denotes full\r\nsupport while a \"~\" denotes a feature with known bugs.\r\nFeature .sh .py\r\nGDM password (Kali Desktop, Debian Desktop) ~ X\r\nGnome Keyring (Ubuntu Desktop, ArchLinux Desktop) ~ X\r\nLightDM (Ubuntu Desktop) X X\r\nVSFTPd (Active FTP Connections) X X\r\nApache2 (Active HTTP Basic Auth Sessions) ~ ~\r\nhttps://github.com/huntergregal/mimipenguin\r\nPage 2 of 3\n\nFeature .sh .py\r\nOpenSSH (Active SSH Sessions - Sudo Usage) ~ ~\r\nContact\r\nTwitter: @huntergregal\r\nWebsite: huntergregal.com\r\nGithub: huntergregal\r\nLicence\r\nCC BY 4.0 licence - https://creativecommons.org/licenses/by/4.0/\r\nSpecial Thanks\r\nthe-useless-one for remove Gcore as a dependency, cleaning up tabs, adding output option, and a full\r\npython3 port\r\ngentilkiwi for Mimikatz, the inspiration and the twitter shoutout\r\npugilist for cleaning up PID extraction and testing\r\nianmiell for cleaning up some of my messy code\r\nw0rm for identifying printf error when special chars are involved\r\nbenichmt1 for identifying multiple authenticate users issue\r\nChaitanyaHaritash for identifying special char edge case issues\r\nImAWizardLizard for cleaning up the pattern matches with a for loop\r\ncoreb1t for python3 checks, arch support, other fixes\r\nn1nj4sec for a python2 port and support\r\nKINGSABRI for the Roadmap proposal\r\nbourgouinadrien for linking https://github.com/koalaman/shellcheck\r\nbcoles for adding more needles\r\nspace-r7 and bcoles for work on the Metasploit MimiPenguin module port\r\nSource: https://github.com/huntergregal/mimipenguin\r\nhttps://github.com/huntergregal/mimipenguin\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/huntergregal/mimipenguin"
	],
	"report_names": [
		"mimipenguin"
	],
	"threat_actors": [],
	"ts_created_at": 1775439136,
	"ts_updated_at": 1775826758,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5a726c2b69a7d3736fd47627029fad624697d9bb.pdf",
		"text": "https://archive.orkl.eu/5a726c2b69a7d3736fd47627029fad624697d9bb.txt",
		"img": "https://archive.orkl.eu/5a726c2b69a7d3736fd47627029fad624697d9bb.jpg"
	}
}