The strings utility for Linux is very useful for finding all text strings in a binary file. I am using a swapfile image as an example. It can easily be searched for various strings that can reveal various information.
Below is an example, I am looking for instances of the word “user”.
┌─[✗]─[jason@jason-desktop]─[~/Downloads] └──╼ $strings swap.0 | grep "user" user-download user-mail user-manpages user-tmp user-write MESSAGE=input_userauth_request: invalid user monitor [preauth] MESSAGE=Invalid user adminuser from 223.223.176.184 MESSAGE=input_userauth_request: invalid user adminuser [preauth] MESSAGE=Invalid user webadm from 18.220.232.208 MESSAGE=input_userauth_request: invalid user webadm [preauth] MESSAGE=pam_unix(cron:session): session closed for user bitnami MESSAGE=Invalid user terry from 106.13.233.32 MESSAGE=pam_unix(cron:session): session closed for user root MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=input_userauth_request: invalid user terry [preauth] MESSAGE=Invalid user flow from 190.52.191.49 MESSAGE=input_userauth_request: invalid user flow [preauth] MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=Invalid user admin1 from 122.51.155.140 MESSAGE=input_userauth_request: invalid user admin1 [preauth] MESSAGE=Invalid user from 65.49.20.67 MESSAGE=input_userauth_request: invalid user [preauth] MESSAGE=Invalid user dev from 161.35.126.137 MESSAGE=input_userauth_request: invalid user dev [preauth] MESSAGE=Invalid user webadmin from 161.35.126.137 MESSAGE=input_userauth_request: invalid user webadmin [preauth] MESSAGE=Invalid user sysadmin from 197.211.219.98 MESSAGE=input_userauth_request: invalid user sysadmin [preauth] MESSAGE=Invalid user csp from 157.245.100.56 |
This shows that a lot of users have tried to log in to this system and have failed.
This example shows information about a Bitnami session running on the server.
┌─[✗]─[jason@jason-desktop]─[~/Downloads] └──╼ $strings swap.0 | grep "bitnami" MESSAGE=pam_unix(cron:session): session closed for user bitnami MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=(root) CMD (/opt/bitnami/php/bin/php /home/bitnami/APIX/artisan schedule:run >> /dev/null 2>&1) MESSAGE=pam_unix(cron:session): session closed for user bitnami MESSAGE=(bitnami) CMD (cd /opt/bitnami/stats && ./agent.bin --run -D) MESSAGE=(root) CMD (/home/bitnami/aws-scripts-mon/mon-put-instance-data.pl --mem-util --disk-path=/ --disk-space-util --from-cron) MESSAGE=(root) CMD (/opt/bitnami/php/bin/php /home/bitnami/APIX/artisan schedule:run >> /dev/null 2>&1) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) _CMDLINE=/bin/sh -c /home/bitnami/aws-scripts-mon/mon-put-instance-data.pl --mem-util --disk-path=/ --disk-space-util --from-cron bitnami /opt/bitnami/apps/phpmyadmin/htdocs/ /opt/bitnami/apps/phpmyadmin/htdocs |
So this is a very useful utility for recovering text from files on your machine.
This is a very good way to find usernames on a Linux machine if you have the swapfile. This tells me that there is a user named “ubuntu” and a user named “bitnami”.
┌─[✗]─[jason@jason-desktop]─[~/Downloads] └──╼ $strings swap.0 | grep "session opened" MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) 2 01:08:47 sshd[7520]: pam_unix(sshd:session): session opened for user ubuntu by (uid=0) ip-10-200-0-148 CRON[9321]: pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) |
So it is very useful if you get one file from a system assuming it has a swap file instead of a partition. But it could be the case that a person had the opportunity to create an image of the swap and take that for later scanning.