Credential Theft

Credentials Hunting

Command để hunting file có password

PS C:\htb> findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml

Powershell history save path

PS C:\htb> (Get-PSReadLineOption).HistorySavePath

C:\Users\htb-student\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Sticky Notes Passwords

Location

 C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

View sticky note db

PS C:\htb> ls
 
 
    Directory: C:\Users\htb-student\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState
 
 
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         5/25/2021  11:59 AM          20480 15cbbc93e90a4d56bf8d9a29305b8981.storage.session
-a----         5/25/2021  11:59 AM            982 Ecs.dat
-a----         5/25/2021  11:59 AM           4096 plum.sqlite
-a----         5/25/2021  11:59 AM          32768 plum.sqlite-shm
-a----         5/25/2021  12:00 PM         197792 plum.sqlite-wal

CMDKey saved credentials

Credentials này tự động fill khi RDP

Runas với saved credentials

Extracting KeePass Hash

Hunting Credent With LaZagne

PUTTY

Autologon

Clipboard

PreviousAttacking the OSNextOthers Techniques

Last updated