Credential Access
Credential Access is where we may find Credentials in Compromised Systems and gain access to User Credentials. It helps us to reuse them or Impersonate the Identity of a User. Obtaining legitimate user Credentials is preferred rather than Exploiting Systems using CVE's.
Clear-Text Files
We can Search a Compromised Machine for Credentials in Local or Remote file Systems. Clear-Text files could include sensitive Information created by a User, containing Passwords, Private Keys, etc.
- Commands History
- Configuration Files (Web App, FTP files, etc.)
- Other Files related to Windows Applications (Internet Browsers, Email Clients, etc.)
- Backup Files
- Shared Files and Folders
- Registry
- Source Code
- Registry
- Command History
:: Look for the [password] Keyword in the Window Registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
:: PowerShell History Location
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $Env:userprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Unattended Windows Installations
When installing Windows on a large number of Hosts, Administrators may use Windows Deployment Services (Unattended Installations). It is possible to encounter Credentials in this Locations.
:: Locations
C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
IIS Configuration
Internet Information Services (IIS) is the default Web Server on Windows Installations. The configuration of websites on IIS is stored in a file called web.config and can Store Passwords for Databases or configured Authentication Mechanisms.
C:\inetpub\wwwroot\web.config
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
:: Find Database Connection Strings on the File
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString
Retrieve Credentials [PuTTY]
PuTTY is an SSH Client commonly found on Windows Systems. PuTTY won't allow users to store their SSH Password, it will store Proxy Configurations that include Clear-Text Authentication Credentials.
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s