search
LinkedInGithub
githubEdit

credential-hunting

hashtag
Credential Hunting Commands

hashtag
Search for "password" in common configuration file types

findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml

hashtag
Search for "password" in Chrome's Custom Dictionary

gc 'C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password

hashtag
Get PowerShell history file path

(Get-PSReadLineOption).HistorySavePath

hashtag
Read PowerShell command history

gc (Get-PSReadLineOption).HistorySavePath

hashtag
Extract PowerShell history from all user profiles

foreach($user in (Get-ChildItem C:\users).FullName){
    Get-Content "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue
}

hashtag
Credential Extraction from XML

hashtag
Import credentials from an XML file

hashtag
Extract username from the credential object

hashtag
Extract password from the credential object

hashtag
Key Concepts:

  • Credential Discovery: - Locating stored passwords and other sensitive information. - Can lead to local or domain privilege escalation.

  • Application Configuration Files: - Plaintext or weakly encrypted credentials in configuration files.

  • Dictionary Files: - User-added words in application dictionaries (e.g., Chrome).

  • Unattended Installation Files: - unattend.xml files with auto-logon or account creation credentials.

  • PowerShell History: - Command history containing credentials.

  • PowerShell Credentials: - Encrypted credentials using DPAPI. Approach, Commands, Tools, and Techniques:

  1. Application Configuration Files: - findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml (Search for keywords). - Manual inspection of web.config files.

  2. Dictionary Files: - gc 'C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password (Read Chrome dictionary).

  3. Unattended Installation Files: - Manual inspection of unattend.xml files.

  4. PowerShell History: - (Get-PSReadLineOption).HistorySavePath (Get history file path). - gc (Get-PSReadLineOption).HistorySavePath (Read history file). - foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue} (Read all accessible history files).

  5. PowerShell Credentials: - Import-Clixml -Path 'C:\scripts\pass.xml' (Import credential object). - $credential.GetNetworkCredential().username (Get username). - $credential.GetNetworkCredential().password (Get password). Commands:

  • findstr

  • gc (Get-Content)

  • (Get-PSReadLineOption).HistorySavePath

  • Import-Clixml Tools:

  • PowerShell. Techniques:

  • File searching.

  • PowerShell scripting.

  • DPAPI abuse (if applicable).

PreviousWindows Credential HuntingNextCheck User/computer description fields

Last updated