20.Other-files

Searching File Contents for String

findstr /SI /M "password" *.xml *.ini *.txt
findstr /SI "password" *.xml *.ini *.txt *.config
findstr /SPIN "password" *.*
powershell "Select-String -Path C:\Users\htb-student\Documents\*.txt -Pattern password"

Searching for File Extensions

dir /S /B *pass*.txt *pass*.xml *pass*.ini *cred* *vnc* *.config*
where /R C:\ *.config
powershell "Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore"

Sticky Notes Database

ls C:\Users\htb-student\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\
powershell "Set-ExecutionPolicy Bypass -Scope Process; cd .\PSSQLite\; Import-Module .\PSSQLite.psd1; $db = 'C:\Users\htb-student\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite'; Invoke-SqliteQuery -Database $db -Query 'SELECT Text FROM Note' | Format-Table -Wrap"
strings plum.sqlite-wal

Other Files of Interest

%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software
%WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
%WINDIR%\System32\drivers\etc\hosts
C:\ProgramData\Configs\*
C:\Program Files\Windows PowerShell\*

Key Takeaways:

  • Diverse File Locations:

    • Credentials and sensitive data can be hidden in various file types and locations, including configuration files, databases, text documents, and even virtual disk images.

    • Network shares are a prime target, as users often store sensitive data without realizing the access permissions.

  • Tools and Techniques:

    • Snaffler: A valuable tool for crawling network shares and identifying files with specific extensions.

    • findstr: A command-line utility for searching file contents for specific strings.

    • PowerShell: A powerful scripting language for searching files, parsing data, and interacting with the system.

    • dir and where: Command-line utilities for searching for files based on their names and extensions.

    • DB Browser for SQLite: A GUI tool for examining SQLite databases, such as the Sticky Notes database.

    • PSSQLite PowerShell Module: a powershell module to query sqlite databases.

    • strings: A command-line utility for extracting printable strings from binary files.

  • Sticky Notes:

    • The Sticky Notes application stores data in an SQLite database, which can contain valuable information.

    • The plum.sqlite file and related files are located in the user's AppData directory.

  • Other Files of Interest:

    • The provided list highlights various system files and directories that may contain credentials or sensitive information.

    • Log files, configuration files, and registry hives are common targets.

  • Manual vs. Automated Searching:

    • While enumeration scripts are helpful, understanding how to perform manual searches is essential for thorough penetration testing.

    • Manual searches allow for flexibility and the ability to find information that automated tools may miss.

  • Security Awareness:

    • The text highlights the importance of user security awareness. Many users are unaware that files they save on network shares can be accessed by others.

Additional Considerations:

  • Regular Expressions:

    • For more complex searches, consider using regular expressions with findstr or PowerShell's Select-String cmdlet.

  • Encoding:

    • Be aware of different file encodings, as this can affect the ability to search for strings.

  • File Permissions:

    • Always check file permissions to ensure that you have the necessary access to read and modify files.

  • Environmental Variables:

    • The use of environmental variables such as %SYSTEMDRIVE% and %WINDIR% is very useful when dealing with various windows systems.

  • Safety:

    • When dealing with production systems, be very careful when searching for and handling sensitive data.

    • Always obtain proper authorization before conducting any penetration testing activities.

  • Post exploitation:

    • The files that are mentioned are extremely useful during post exploitation phases of a penetration test.

Previous19.Credential-huntingNext21.Further-credential-theft

Last updated