Find information in a swapfile image with Linux.

The strings utility for Linux is very useful for finding all text strings in a binary file. I am using a swapfile image as an example. It can easily be searched for various strings that can reveal various information.

Below is an example, I am looking for instances of the word “user”.

┌─[✗]─[jason@jason-desktop]─[~/Downloads]
└──╼ $strings swap.0 | grep "user"
 user-download
 user-mail
 user-manpages
 user-tmp
 user-write
MESSAGE=input_userauth_request: invalid user monitor [preauth]
MESSAGE=Invalid user adminuser from 223.223.176.184
MESSAGE=input_userauth_request: invalid user adminuser [preauth]
MESSAGE=Invalid user webadm from 18.220.232.208
MESSAGE=input_userauth_request: invalid user webadm [preauth]
MESSAGE=pam_unix(cron:session): session closed for user bitnami
MESSAGE=Invalid user terry from 106.13.233.32
MESSAGE=pam_unix(cron:session): session closed for user root
MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0)
MESSAGE=input_userauth_request: invalid user terry [preauth]
MESSAGE=Invalid user flow from 190.52.191.49
MESSAGE=input_userauth_request: invalid user flow [preauth]
MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0)
MESSAGE=Invalid user admin1 from 122.51.155.140
MESSAGE=input_userauth_request: invalid user admin1 [preauth]
MESSAGE=Invalid user  from 65.49.20.67
MESSAGE=input_userauth_request: invalid user  [preauth]
MESSAGE=Invalid user dev from 161.35.126.137
MESSAGE=input_userauth_request: invalid user dev [preauth]
MESSAGE=Invalid user webadmin from 161.35.126.137
MESSAGE=input_userauth_request: invalid user webadmin [preauth]
MESSAGE=Invalid user sysadmin from 197.211.219.98
MESSAGE=input_userauth_request: invalid user sysadmin [preauth]
MESSAGE=Invalid user csp from 157.245.100.56

This shows that a lot of users have tried to log in to this system and have failed.

This example shows information about a Bitnami session running on the server.

┌─[✗]─[jason@jason-desktop]─[~/Downloads]
└──╼ $strings swap.0  | grep "bitnami"
MESSAGE=pam_unix(cron:session): session closed for user bitnami
MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0)
MESSAGE=(root) CMD (/opt/bitnami/php/bin/php /home/bitnami/APIX/artisan schedule:run >> /dev/null 2>&1)
MESSAGE=pam_unix(cron:session): session closed for user bitnami
MESSAGE=(bitnami) CMD (cd /opt/bitnami/stats && ./agent.bin --run -D)
MESSAGE=(root) CMD (/home/bitnami/aws-scripts-mon/mon-put-instance-data.pl --mem-util --disk-path=/ --disk-space-util --from-cron)
MESSAGE=(root) CMD (/opt/bitnami/php/bin/php /home/bitnami/APIX/artisan schedule:run >> /dev/null 2>&1)
MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0)
_CMDLINE=/bin/sh -c /home/bitnami/aws-scripts-mon/mon-put-instance-data.pl --mem-util --disk-path=/ --disk-space-util --from-cron
bitnami
/opt/bitnami/apps/phpmyadmin/htdocs/
/opt/bitnami/apps/phpmyadmin/htdocs

So this is a very useful utility for recovering text from files on your machine.

This is a very good way to find usernames on a Linux machine if you have the swapfile. This tells me that there is a user named “ubuntu” and a user named “bitnami”.

┌─[✗]─[jason@jason-desktop]─[~/Downloads]
└──╼ $strings swap.0 | grep "session opened"
MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0)
 2 01:08:47 sshd[7520]: pam_unix(sshd:session): session opened for user ubuntu by (uid=0)
ip-10-200-0-148 CRON[9321]: pam_unix(cron:session): session opened for user root by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0)
MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0)

┌─[✗]─[jason@jason-desktop]─[~/Downloads] └──╼ $strings swap.0 | grep "session opened" MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) 2 01:08:47 sshd[7520]: pam_unix(sshd:session): session opened for user ubuntu by (uid=0) ip-10-200-0-148 CRON[9321]: pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user root by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0) MESSAGE=pam_unix(cron:session): session opened for user bitnami by (uid=0)

So it is very useful if you get one file from a system assuming it has a swap file instead of a partition. But it could be the case that a person had the opportunity to create an image of the swap and take that for later scanning.

Leave a Comment Cancel reply