Windows Password Scouting
Just like Linux, Windows has several locations where users or programs store passwords by default. We can search the system for passwords if we know where these common locations are.
Windows Deployment Files
When organizations deploy a large number of machines across a network, they sometimes use a base image that uses a password saved in the file system to install the required programs. Check these file locations to see if anything is there. You may have to base64 decode the password if it is encoded:
C:\sysprep.inf
C:\sysprep\sysprep.xml
C:\unattend.txt
C:\unattend.xml
C:\autounattend.txt
C:\autounattend.xml
C:\Groups.xmlVMWare Deployments
VMWare deployments sometimes use encoded credentials to deploy systems. There are tools out there to decrypt the encoded credentials as long as the unattend.xml and the hklm:\Software\Wow6432Node\VMware, Inc.\Guest Customization\DeployData registry key are known. I won’t go into too much detail about this one since it’s not very common. Just know it’s possible. Please reach out if you would like to learn more about this particular attack or if you would like a proof of concept.
PST Files (Outlook)
Some companies decide to use PST files because they don’t have a lot of storage space on their Exchange mail servers. PST files hold lots of emails and can contain lots of sensitive information. PST files can be password protected so you can use a tool like PstPassword to recover the password.
Registry Hives
Some parts of the registry contain clear-text credentials for certain programs. Below are a few locations to get you started:
# RealVNCC:\>reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
# Windows auto-loginC:\>reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"# SNMP parametersC:\>reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP"# PuTTY proxy credentialsC:\>reg query" HKCU\Software\username\PuTTY\Sessions"# Search the registry:C:\>reg query HKLM /f password /t REG_SZ /sC:\>reg query HKCU /f password /t REG_SZ /s
Searching for “passw”
# Search for keywordsC:\>dir /s *pass* == *cred* == *vnc* == *.config*# Search certain file types for "passw"C:\>findstr /si passw *.xml *.ini *.txt# Search for "passw" accross filesC:\>findstr /I /N /S /P /C:passw C:\*.txtC:\>findstr /I /N /S /P /C:passw C:\*.xmlC:\>findstr /I /N /S /P /C:passw C:\*.iniC:\>findstr /I /N /S /P /C:passw C:\*.logC:\>findstr /I /N /S /P /C:passw C:\*.confC:\>findstr /I /N /S /P /C:passw C:\*.config# PowerShell searchPS>Get-ChildItem c:\ -r -i -f *.* 2>$null | select-string "password"
Users’ Sensitive Info
C:\>findstr /I /N /S /P /C:passw C:\Users\*C:\>findstr /I /N /S /P /C:passw ''C:\Documents and Settings\*''
Browser Password Recovery
Most users will use the “save password” feature in a browser. Passwords are usually stored in a cleartext XML file. Firefox allows users to encrypt their passwords but most people don’t because this is a hassle to decrypt each time they restart their browser. Chrome doesn’t encrypt the passwords, but it “password protects” the password on the machine. There are a few options to recover the passwords.
The first method for browser password recovery is to use a tool like ChromePass. The tool will go through all the passwords stored in Chrome and output them in clear-text.
The next one is more tedious but doesn’t require you to download a new tool to the machine. Let’s say you have access to someone’s browser and they have their Facebook password saved in the browser. If they are logged in simply log out and the password should auto generate in the password field. Right click on the password field and click “Inspect Element”.
Next you will see something like this in the Inspector:
Double-click on the type=”password” attribute and change it so it says type=”text” and hit enter.
You will notice the password is now showed in clear-text in the browser.
