In this we will discuss about some Low Hanging Credentials file enumeration , assume that you have already compromised the Target machine and will been searching for some credential files to escalate our privilege
1 dir /b /a /s c:\ > cdir.txt
AH ! What does this mean ?
it will list all the file from C: and save it into cdir.txt
instead of going through all the files we will looking for string (str) or sub string which contain passw in all of that file
1 type cdir.txt | findstr /i passw
we are lucky enough that we find something as obviously its all been setup . But yeah sometimes u will find some low hanging fruits not exactly like this but some excel spreadsheet or any documents maybe admin just mistakely saved it in the desktop or anything
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 install, backup, .bak, .log, .bat, .cmd, .vbs, .cnf, .conf, .config, .ini, .xml, .txt, .gpg, .pgp, .p12, .der, .csr, .cer, id_rsa, id_dsa, .ovpn, .rdp, vnc, ftp, ssh, vpn, git, .kdbx, .db unattend.xml Unattended.xml sysprep.inf sysprep.xml VARIABLES.DAT setupinfo setupinfo.bak web.config SiteList.xml .aws\credentials .azure\accessTokens.json .azure\azureProfile.json gcloud\credentials.db gcloud\legacy_credentials gcloud\access_tokens.db
1 2 type cdir.txt | findstr /i vnc # searching for file name type c:\Users\IEUser\Downloads\ultravnc.ini | findstr /i passw # string contain in that particular file
The registry or Windows registry is a database of information, settings, options, and other values for software and hardware, also it contains stored password for the sessions application , even ssh key if the system is using ssh
HKLM (HKEY_LOCAL_MACHINE):- Contains computer-specific information about the hardware installed, software settings, and other information. The information is used for all users who log on to that computer. This key, and its subkeys, is one of the most frequently areas of the registry viewed and edited by users.
HKCU (HKEY_CURRENT_USER):- Contains user who is currently logged in to Windows and their settings.
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions
It will qeuery the specific register which PuTTY Sessions to check does it stored some credentials for further enumerations
As we can se that we have found credentials in Local session of PuTTY
We can even search query for specific String in the registry just we did above with the files
1 reg query HKLM /f password /t REG_SZ /s
1 2 3 4 5 reg query "HKCU\Software\ORL\WinVNC3\Password" # For WinVNC server reg query "HKCU\Software\TightVNC\Server" reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # For PuTTy session reg query "HKCU\Software\OpenSSH\Agent\Keys" # if system is using ssh reg query HKLM /f password /t REG_SZ /s # for seaching the specific string
we can even use like
reg query HKLM /f credentials /t REG_SZ /sjust like any string we want to search for
What is Credential manager
Credential Manager lets you view and delete your saved credentials for signing in to websites, connected applications, and networks. To open Credential Manager, type credential manager in the search box on the taskbar and select Credential Manager Control panel.
But it will only Show you the option to change password you cant view password
Web Credentials shows your stored password from Internet Explorer/Microsoft Edge
Shows your stored password on your Local System
Well During your pentesting it not always necessary that u will have the UI/RDP session on TARGET MACHINE So we have to use CMD line to use the stored cred which is stored in Credentials Manager
1 cmdkey /list # To list all the stored password
1 runas /savecred /user:admin cmd.exe
You can Only be able to use the stored creds from credential manager we are not able view them . But we can extract their password using powershell script which have been performed below
we will use this powershell script to extract the password from Credential manager
1 2 3 powershell -ep bypass . .\cms.ps1 Enum-Creds
1 powershell import-module C:\unknown\LPE\cms.ps1 ; Enum-Creds