Diggin’ for Gold – Windows Post Exploitation

We have all been there, you see a post or a script that says grep for this or search for that, so you do, but you get more than a haystack in return. The real benefit comes into play when you know common config files and WHAT they contain; what config files contain is important because it might be encoded a certain way, or dare I say it, encrypted with their own algorithm (which can be easily cracked) or it might just be plaintext/base64 encoded. However it is stored, knowing what we are looking for and knowing what we might find there is important to reducing the noise and time spend on fruitless tasks when manually pentesting or researching without tools.

Common Gold

c:\sysprep.inf [Base64 Encoded Password]
c:\sysprep\sysprep.xml [Base64 Encoded Password]
c:\unattend.xml [Plaintext Password]
%WINDIR%\Panther\Unattend\Unattended.xml [Plaintext Password]
%WINDIR%\Panther\Unattended.xml [Plaintext Password]
vnc.ini [Password Easily Decrypted]
ultravnc.ini [Password Easily Decrypted]
dir c:\ /s /b | findstr /si *vnc.ini [Plaintext Password]
dir c:\*vnc.ini /s /b [Plaintext Password]
dir c:\*ultravnc.ini /s /b [Plaintext Password]
dir c:\ /s /b | findstr /si *vnc.ini [Plaintext Password]

Spray and Pray

findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini

#Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config*

# Find all passwords in all files.
findstr /spin "password" *.*
findstr /spin "password" *.*

Recovering Credentials


Extended List/Rare Finds

This list will include common project which are not so mainstream, like web servers and other third party tools users install which leave credential files on system. Check back for update!