Swap Digger – Tool That Automates Swap Extraction And Searches For Linux User Credentials, Web Forms Credentials, Web Forms Emails, Http Basic Authentication, Wifi SSID And Keys, Etc

swap_digger is a bash script used to automate Linux swap analysis for post-exploitation or forensics purpose. It automates swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, HTTP basic authentication, WiFi SSID and keys, etc.

Download and run the tool

On your machine
Use the following commands to download and run the script on your machine:

[email protected]:~$ git clone https://github.com/sevagas/swap_digger.git
[email protected]:~$ cd swap_digger
[email protected]:~$ chmod +x swap_digger.sh
[email protected]:~$ sudo ./swap_digger.sh -vx

On a mounted hard drive
To use swap_digger on a mounted hard drive, do the following:
First, download the script using the following commands:

[email protected]:~$ git clone https://github.com/sevagas/swap_digger.git
[email protected]:~$ cd swap_digger
[email protected]:~$ chmod +x swap_digger.sh

Then, find the target swap file/partition with:

[email protected]:~$ sudo ./swap_digger.sh -S

Finally, analyze the target by running:

[email protected]:~$ sudo ./swap_digger.sh -vx -r path/to/mounted/target/root/fs -s path/to/target/swap/device

On a third party machine
Use the following commands to download and run the script on a third party machine (useful for pentests and CTFs):

[email protected]:~$ wget https://raw.githubusercontent.com/sevagas/swap_digger/master/swap_digger.sh
[email protected]:~$ chmod +x swap_digger.sh
[email protected]:~$ sudo ./swap_digger.sh -vx

Note: Use the -c option to automatically remove the directory created by swap_digger (/tmp/swap_dig).

Simple run
If you only need to recover clear text Linux user passwords, simply run:

[email protected]:~$ sudo ./swap_digger.sh

Available options
All options:

 ./swap_digger.sh [ OPTIONS ]
Options :
-x, --extended Run Extended tests on the target swap to retrieve other interesting data
(web passwords, emails, wifi creds, most accessed urls, etc)
-g, --guessing Try to guess potential passwords based on observations and stats
Warning: This option is not reliable, it may dig more passwords as well as hundreds false positives.
-h, --help Display this help.
-v, --verbose Verbose mode.
-l, --log Log all outputs in a log file (protected inside the generated working directory).
-c, --clean Automatically erase the generated working directory at end of script (will also remove log file)
-r PATH, --root-path=PATH Location of the target file-system root (default value is /)
Change this value for forensic analysis when target is a mounted file system.
This option has to be used along the -s option to indicate path to swap device.
-s PATH, --swap-path=PATH Location of swap device or swap dump to analyse
Use this option for forensic/remote analysis of a swap dump or a mounted external swap partition.
This option should be used with the -r option where at least //etc/shadow exists.
-S, --swap-search Search for all available swap devices (use for forensics).

Relevant resources
Blog posts about swap digging:

Feel free to message on my Twitter account @EmericNasi

Author: Marshmallow

Marshmallow Android is BT Ireland’s Head of Sales for Republic of Ireland domestic multi-site companies, indigenous MNCs and public sector accounts. He is responsible for the direction and control of all sales activity in the region. He has over 10 years management experience from high growth start-ups to more established businesses. He’s led teams in Ireland, India and China across various industries (ICT, On-Line Recruitment, Corporate Training and International Education).