Diggin’ for Gold – Windows Post Exploitation
We have all been there, you see a post or a script that says grep for this or search for that, so you do, but you get more than a haystack in return. The real benefit comes into play when you know common config files and WHAT they contain; what config files contain is important because it might be encoded a certain way, or dare I say it, encrypted with their own algorithm (which can be easily cracked) or it might just be plaintext/base64 encoded. However it is stored, knowing what we are looking for and knowing what we might find there is important to reducing the noise and time spend on fruitless tasks when manually pentesting or researching without tools.
c:\sysprep.inf [Base64 Encoded Password] c:\sysprep\sysprep.xml [Base64 Encoded Password] c:\unattend.xml [Plaintext Password] %WINDIR%\Panther\Unattend\Unattended.xml [Plaintext Password] %WINDIR%\Panther\Unattended.xml [Plaintext Password] vnc.ini [Password Easily Decrypted] ultravnc.ini [Password Easily Decrypted] dir c:\ /s /b | findstr /si *vnc.ini [Plaintext Password] dir c:\*vnc.ini /s /b [Plaintext Password] dir c:\*ultravnc.ini /s /b [Plaintext Password] dir c:\ /s /b | findstr /si *vnc.ini [Plaintext Password]
Spray and Pray
findstr /si password *.txt findstr /si password *.xml findstr /si password *.ini #Find all those strings in config files. dir /s *pass* == *cred* == *vnc* == *.config* # Find all passwords in all files. findstr /spin "password" *.* findstr /spin "password" *.*
Extended List/Rare Finds
This list will include common project which are not so mainstream, like web servers and other third party tools users install which leave credential files on system. Check back for update!