Hack$Notes
  • Hack$Notes
  • Enumeration
    • NMAP Scanning
    • Hping3 Scanning
      • IDLE SCAN
    • DNS Enum
    • SMB Enum
    • SMTP Enum
    • POP3
    • SNMP Enum
    • LDAP Enum
    • HTTP Enum
      • CheckList
    • FTP Enum
    • SSH Enum
    • MySQL Enum
    • Oracle Enum
    • NFS Enum
    • Internet Relay Chat (IRC)
    • Telnet
    • Kerberos
    • Finger
    • Ports Open/Close
    • ident
    • Postgresl
  • Transferring Files
  • Metasploit Framework
    • Msfvenom tutorial
    • Msfvenom Payloads
  • Reverse Shells
  • Buffer Overflow
    • B.O Steps
    • SLmail B.O
  • Spawning a Shell
  • Password Attacks
    • Passing the Hash
    • SAM/SYSTEM
    • Passwords
    • Hydra
    • Medusa
    • Ncrack
    • Unshadow
    • Hashcat
    • John The Ripper
    • fcrackzip
  • Privilege Escalation
    • Windows
      • Kernel Exploits
      • Stored Credentials
      • Unquoted Service Path
      • Always Install Elevated
      • Weak Permissions
      • Schedule Tasks
      • AutoRun Executables
      • Startup Apps
      • Passwords
      • Win PrivEsc Tools
    • Linux
      • Kernel Exploits
      • Service Exploits
      • PATH Variable
      • SUID/GUID files
      • CronJobs
      • Sudo
      • Custom Executable
      • Linux PrivEsc Tools
  • Port Forwarding
  • Tools / Techniques
    • General Check List
    • Misc. Commands
    • Steganography
    • Evasion Techniques
    • SQL Injection Payloads
    • LFI / RFI
    • Recover contents
    • JAR Files
    • Strace/Ltrace
    • Port Knocking
    • Screenshots in Kali
    • Curl
  • Resources
    • Books
    • Links
Powered by GitBook
On this page
  • Commands
  • Registry
  • SNMP
  • Putty
  • RealVNC
  • PowerSploit

Was this helpful?

  1. Privilege Escalation
  2. Windows

Stored Credentials

Looking for passwords.

Commands

C:\unattend.xml
C:\sysprep.inf
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml

IIS
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
C:\inetpub\wwwroot\web.config

Services\Services.xml
ScheduledTasks\ScheduledTasks.xml
Printers\Printers.xml
Drives\Drives.xml
DataSources\DataSources.xml

findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini

C:\> dir /b /s unattend.xml
C:\> dir /b /s web.config
C:\> dir /b /s sysprep.inf
C:\> dir /b /s sysprep.xml
C:\> dir /b /s *pass*
C:\> dir /b /s vnc.ini

dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si password *.xml *.ini *.txt

dir /a-r-d /s /b

Registry

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

SNMP

reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

Putty

reg query" HKCU\Software\SimonTatham\PuTTY\Sessions"

RealVNC

reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password

PowerSploit

Get-UnattendedInstallFile
Get-Webconfig
Get-ApplicationHost
Get-SiteListPassword
Get-CachedGPPPassword
Get-RegistryAutoLogon
PreviousKernel ExploitsNextUnquoted Service Path

Last updated 1 year ago

Was this helpful?