MimiPenguin – Display (Hack) Login Passwords of Linux Users

MimiPenguin is a free and open source, simple yet powerful Shell/Python script used to dump the login credentials (usernames and passwords) from the current Linux desktop user and it has been tested on various Linux distributions.

Additionally, it supports applications such as VSFTPd (active FTP client connections), Apache2 (active/old HTTP BASIC AUTH sessions but this requires Gcore), and OpenSSH-server (active SSH connections with sudo command usage).

Importantly, it’s gradually being ported to numerous languages to support all imaginable post-exploit situations.

How Does MimiPenguin Work?

To understand how MimiPenguin works, you need to keep in mind that all if not most Linux distributions store a great deal of such critical information as credentials, encryption keys, as well as personal data in memory.

Particularly usernames and passwords are held by processes (running programs) in memory and stored as plain text for relatively long periods of time.

MimiPenguin technically exploits these clear-text credentials in memory – it dumps a process and extracts lines that have a likelihood of accommodating clear-text credentials.

It then tries to perform a calculation of each word’s chances of being present by determining hashes in /etc/shadow, memory, and regex searches. Once it finds any, it prints them on standard output.

Installing MimiPenguin in Linux Systems

We will use git to clone the MimiPenguin repository, so first install git on the system if in case you don’t have it.

$ sudo apt install git         [On Debian, Ubuntu and Mint]
$ sudo yum install git         [On RHEL/CentOS/Fedora and Rocky/AlmaLinux]
$ sudo emerge -a git           [On Gentoo Linux]
$ sudo apk add git             [On Alpine Linux]
$ sudo pacman -S git           [On Arch Linux]
$ sudo zypper install git      [On OpenSUSE]    

Then clone the MimiPenguin directory in your home folder (anywhere else) as shown.

$ git clone https://github.com/huntergregal/mimipenguin.git

View Linux User Passwords

Once you have downloaded the directory, move into it and run mimipenguin as follows:

$ cd mimipenguin/
$ ./mimipenguin.sh 

Note: If you encounter the error below, use the sudo command like so:

Root required - You are dumping memory...
Even mimikatz requires an administrator
Dump Login Passwords in Linux
Dump Login Passwords in Linux

From the output above, mimipenguin provides you with the desktop environment along with the username and password.

Alternatively, run the Python script as follows:

$ sudo ./mimipenguin.py

Note that sometimes gcore may hang the script (this is a known problem with gcore).

Future Updates

Below is a list of features yet to be added to mimipenguin:

  • Improving overall effectiveness
  • Adding more support and other credential locations
  • Including support for non-desktop environments
  • Adding support for LDAP

Do share any additional ideas relating to the mimipenguin tool or issues of cleartext credentials in memory in Linux via the comment section below.

Aaron Kili
Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

6 thoughts on “MimiPenguin – Display (Hack) Login Passwords of Linux Users”

  1. I dunno if posting this article was a good idea? You’ve now given someone who may have access to a secure Linux machine the tools (AND instructions!) on how to gain information that the probably shouldn’t have.

    But thanks for the article nonetheless….knowing what I now know after reading this article?…I will do what I can to prevent this from ever being able to run on my Linux boxes. (I guess memory encryption? or just find a way to lock the processes from outside intervention.

    Reply
    • @Eddie G.

      The tool is out there, so any one with malicious thoughts can used it. But we our aim simply to keep Linux users aware of it’s existence and the dangers involved.

      As you have stated, do whatever is possible to prevent this from ever being able to run on your Linux boxes. Thanks for the concern and feedback.

      Reply
    • Aside from being contrary to the ethos of open-source software, your purpose is security through obscurity.

      This not only doesn’t work as those with truly malicious intent, and thus actively looking for or making themselves tools like these, will have early access to ways to exploit systems that the general public wouldn’t even know exist but it would also be dangerous as it would give a false sense of security.

      Having said that, in this particular case, to use this tool one would have to know the root password already and if you have that then you already have complete control of the system.

      Reply
      • On that topic (because it’s been a debate of the few geeks I know and hang out with! LoL!)

        Which method would you recommend?:

        Changing the root password every 3 to 6 months?
        or
        Creating such a complex and lengthy password so as to make it hard to crack?

        Curious to hear your thoughts.

        Reply

Got something to say? Join the discussion.

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.