MimiPenguin: Extracting Login Passwords from Linux Desktop Memory
Hook
A vulnerability in Gnome Keyring was assigned CVE-2018-20781 in 2018. The README notes it remained unfixed as of Gnome Keyring version 3.28.0.2-1ubuntu1.18.04.1, allowing anyone with root access to extract login passwords from memory.
Context
Linux desktop environments like GDM, Gnome Keyring, and LightDM store authentication credentials in process memory during normal operation. While these services hash passwords before storing them on disk, they must work with cleartext credentials at authentication time. Those cleartext passwords can remain in memory, vulnerable to extraction by anyone with root privileges. MimiPenguin automates the process of locating and extracting these credentials from running processes. The tool was adapted from ideas behind the Windows tool Mimikatz and assigned CVE-2018-20781.
Technical Insight
MimiPenguin’s approach involves dumping process memory from authentication-related services, scanning for strings that appear to be passwords, and validating candidates using probabilistic analysis. The 2.0 release introduced a C port that aimed to increase speed and portability.
The tool targets multiple credential sources across Linux desktop and server environments. For desktop systems, it focuses on GDM (Gnome Display Manager), Gnome Keyring, and LightDM. For server environments, it can extract credentials from active VSFTPd connections, Apache HTTP Basic Auth sessions, and OpenSSH sessions during sudo usage.
The core technique appears to involve reading process memory through the /proc filesystem. The tool employs validation strategies to identify actual passwords among the many strings found in memory. According to the README, it attempts to calculate each word’s probability by checking hashes in /etc/shadow, checking hashes found in memory, and using regex searches to identify password-like patterns.
The Gnome Keyring vulnerability (CVE-2018-20781) stems from how the keyring handles credentials. The README notes this issue persisted as of version 3.28.0.2-1ubuntu1.18.04.1 with a note that “it’s still not fixed after GNOME Keyring 3.27.2.”
The project supports multiple language implementations with different tradeoffs. The original shell script version exists alongside Python and C versions. The feature support matrix in the README shows varying levels of support across shell (.sh) and Python (.py) implementations: both have issues with some features marked with "" indicating known bugs, while others are marked with “X” for full support. The Python version shows full support (X) for GDM password extraction and Gnome Keyring, while the shell version has known bugs () for these features.
One architectural limitation affects the C build: the README explicitly warns that “the 32bit variant of mimipenguin (C build) may fail in a 64bit userspace as it currently does not adequately handle searching a 64bit address space.” This means the binary architecture must match the target system’s userspace architecture for reliable operation.
Gotcha
MimiPenguin requires root permissions to read process memory via /proc, which limits its threat model to scenarios where root access has already been achieved. This positions it as a credential harvesting tool for use after initial compromise, rather than a privilege escalation tool.
The reliability issues are significant and openly acknowledged. The README states “Password moves in memory - still honing in on 100% effectiveness.” The development roadmap mentions known issues including “sometimes gcore hangs the script” (noted as “a problem with gcore” itself). The feature matrix marks several capabilities with ”~” to denote known bugs, including Apache2 and OpenSSH support in both shell and Python versions.
The 32-bit/64-bit incompatibility in the C build means you need to match your build architecture to the target system’s userspace. The README provides build options including make for standard release, make debug for debug builds, and make static for statically linked binaries to address different deployment scenarios.
Verdict
Use MimiPenguin if you’re conducting penetration testing or security research on Linux desktop environments and have already achieved root access. It appears particularly suited for extracting credentials from Gnome-based desktop systems. The C version offers speed and portability (especially with static builds), while the Python version shows fuller feature support for GDM and Gnome Keyring extraction according to the feature matrix. Skip if you don’t have root access—it requires root permissions to function. Skip if you’re targeting server-only environments without the supported desktop managers (GDM, LightDM, Gnome Keyring), though it does support some server services like VSFTPd, Apache, and OpenSSH. Skip if you need guaranteed extraction success—the README acknowledges the tool is still being refined for 100% effectiveness as passwords move in memory. The known issues with gcore hanging and bugs in certain features (marked with ”~” in the matrix) mean successful credential recovery should be treated as probable rather than certain.
