Windows Password Scouting

Just like Linux, Windows has several locations where users or programs store passwords by default. We can search the system for passwords if we know where these common locations are.

Windows Deployment Files

When organizations deploy a large number of machines across a network, they sometimes use a base image that uses a password saved in the file system to install the required programs. Check these file locations to see if anything is there. You may have to base64 decode the password if it is encoded:

C:\sysprep.inf
C:\sysprep\sysprep.xml
C:\unattend.txt
C:\unattend.xml
C:\autounattend.txt
C:\autounattend.xml
C:\Groups.xml

VMWare Deployments

VMWare deployments sometimes use encoded credentials to deploy systems. There are tools out there to decrypt the encoded credentials as long as the unattend.xml and the hklm:\Software\Wow6432Node\VMware, Inc.\Guest Customization\DeployData registry key are known. I won’t go into too much detail about this one since it’s not very common. Just know it’s possible. Please reach out if you would like to learn more about this particular attack or if you would like a proof of concept.

PST Files (Outlook)

Some companies decide to use PST files because they don’t have a lot of storage space on their Exchange mail servers. PST files hold lots of emails and can contain lots of sensitive information. PST files can be password protected so you can use a tool like PstPassword to recover the password.

Registry Hives

Some parts of the registry contain clear-text credentials for certain programs. Below are a few locations to get you started:

# RealVNCC:\>reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
# Windows auto-loginC:\>reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"# SNMP parametersC:\>reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP"# PuTTY proxy credentialsC:\>reg query" HKCU\Software\username\PuTTY\Sessions"# Search the registry:C:\>reg query HKLM /f password /t REG_SZ /sC:\>reg query HKCU /f password /t REG_SZ /s

Searching for “passw”

# Search for keywordsC:\>dir /s *pass* == *cred* == *vnc* == *.config*# Search certain file types for "passw"C:\>findstr /si passw *.xml *.ini *.txt# Search for "passw" accross filesC:\>findstr /I /N /S /P /C:passw C:\*.txtC:\>findstr /I /N /S /P /C:passw C:\*.xmlC:\>findstr /I /N /S /P /C:passw C:\*.iniC:\>findstr /I /N /S /P /C:passw C:\*.logC:\>findstr /I /N /S /P /C:passw C:\*.confC:\>findstr /I /N /S /P /C:passw C:\*.config# PowerShell searchPS>Get-ChildItem c:\ -r -i -f *.* 2>$null | select-string "password"

Users’ Sensitive Info

C:\>findstr /I /N /S /P /C:passw C:\Users\*C:\>findstr /I /N /S /P /C:passw ''C:\Documents and Settings\*''

Browser Password Recovery

Most users will use the “save password” feature in a browser. Passwords are usually stored in a cleartext XML file. Firefox allows users to encrypt their passwords but most people don’t because this is a hassle to decrypt each time they restart their browser. Chrome doesn’t encrypt the passwords, but it “password protects” the password on the machine. There are a few options to recover the passwords.

The first method for browser password recovery is to use a tool like ChromePass. The tool will go through all the passwords stored in Chrome and output them in clear-text.

The next one is more tedious but doesn’t require you to download a new tool to the machine. Let’s say you have access to someone’s browser and they have their Facebook password saved in the browser. If they are logged in simply log out and the password should auto generate in the password field. Right click on the password field and click “Inspect Element”.

Next you will see something like this in the Inspector:

Double-click on the type=”password” attribute and change it so it says type=”text” and hit enter.

You will notice the password is now showed in clear-text in the browser.

--

--

--

I am a Security Consultant and formerly worked at PayPal as a Penetration Tester. At night I teach Cyber Security at UTexas. OSCP

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to root Eurostar epad 4 et7005c

Root LG Phone

Qenetex Bounty

How to root InFocus m812

Root LG Phone

Let’s Talk About The Sextortion Scam Luring Victims in with Breached Passwords

The Privacy Map to Protect Your Location Share

Preventing Risk and Fraud in Contracts

5 Secrets to Survive the Encryption Apocalypse

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Recipe For Root

Recipe For Root

I am a Security Consultant and formerly worked at PayPal as a Penetration Tester. At night I teach Cyber Security at UTexas. OSCP

More from Medium

Kubernetes Network Policy or Blocking External Traffic will Slightly Reduce log4j Attack, not…

Reverse Shell vs Bind Shell

Series of CTF machines Walkthrough #6 Linux Privilege Escalation using SUDO permissions.

Lopsided routing, a stealthy hole punch into FortiGate

No leaks seen in Beacon Home