search

19.Credential-hunting

hashtag
Credential Hunting Commands

hashtag
Search for "password" in common configuration file types

findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml

hashtag
Search for "password" in Chrome's Custom Dictionary

gc 'C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password

hashtag
Get PowerShell history file path

(Get-PSReadLineOption).HistorySavePath

hashtag
Read PowerShell command history

gc (Get-PSReadLineOption).HistorySavePath

hashtag
Extract PowerShell history from all user profiles

foreach($user in (Get-ChildItem C:\users).FullName){
    Get-Content "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue
}

hashtag
Credential Extraction from XML

hashtag
Import credentials from an XML file

hashtag
Extract username from the credential object

hashtag
Extract password from the credential object

hashtag
Key Concepts:

  • Credential Discovery:

    • Locating stored passwords and other sensitive information.

    • Can lead to local or domain privilege escalation.

  • Application Configuration Files:

    • Plaintext or weakly encrypted credentials in configuration files.

  • Dictionary Files:

    • User-added words in application dictionaries (e.g., Chrome).

  • Unattended Installation Files:

    • unattend.xml files with auto-logon or account creation credentials.

  • PowerShell History:

    • Command history containing credentials.

  • PowerShell Credentials:

    • Encrypted credentials using DPAPI.

Approach, Commands, Tools, and Techniques:

  1. Application Configuration Files:

    • findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml (Search for keywords).

    • Manual inspection of web.config files.

  2. Dictionary Files:

    • gc 'C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password (Read Chrome dictionary).

  3. Unattended Installation Files:

    • Manual inspection of unattend.xml files.

  4. PowerShell History:

    • (Get-PSReadLineOption).HistorySavePath (Get history file path).

    • gc (Get-PSReadLineOption).HistorySavePath (Read history file).

    • foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue} (Read all accessible history files).

  5. PowerShell Credentials:

    • Import-Clixml -Path 'C:\scripts\pass.xml' (Import credential object).

    • $credential.GetNetworkCredential().username (Get username).

    • $credential.GetNetworkCredential().password (Get password).

Commands:

  • findstr

  • gc (Get-Content)

  • (Get-PSReadLineOption).HistorySavePath

  • Import-Clixml

Tools:

  • PowerShell.

Techniques:

  • File searching.

  • PowerShell scripting.

  • DPAPI abuse (if applicable).

Previous5.Credential TheftNext20.Other-files

Last updated