Harvesting passwords
Attack tree
1 Escalate using found credentials in
1.1 Unattended Windows installations
1.2 Powershell history
1.3 Saved Windows credentials
1.4 IIS configuration
1.5 Retrieve credentials from software, for example PuTTY
Examples
Unattended Windows installations
When installing Windows on a large number of hosts, administrators often use Windows Deployment Services, which allows for a single operating system image to be deployed to several hosts through the network. These unattended installations do not require user interaction. They do require the use of an administrator account for the initial setup, which might end up being stored in the machine in the following locations:
C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
Powershell history
Whenever a user runs a command using Powershell, it gets stored into a file that keeps a memory of past commands. If a user runs a command that includes a password directly as part of the Powershell command line, it can later be retrieved
In the cmd.exe
prompt:
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
In the Powershell prompt:
type $Env:userprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Saved Windows credentials
Windows allows for the use of other users’ credentials. To list saved credentials:
cmdkey /list
Passwords are not given, but a possibly interesting credential can be used with the runas
command and the
/savecred
option:
runas /savecred /user:admin cmd.exe
IIS configuration
Internet Information Services (IIS) is the default web server on Windows installations.
The configuration of websites on IIS is stored in the web.config
file and can store passwords for databases or
configured authentication mechanisms. Depending on the version of IIS, it can be found in:
C:\inetpub\wwwroot\web.config
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
To find database connection strings on the file:
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString
Retrieve credentials from PuTTY
To retrieve the stored proxy credentials, search under the following registry key for ProxyPassword with:
reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s
Simon Tatham is the creator of PuTTY (and his name is part of the path), and is not the username. Keep command as is.
Notes
The example for retrieving credentials from software here is PuTTY. but any software that stores passwords, including browsers, email clients, FTP clients, SSH clients, VNC software and others, will have methods to recover any passwords the user has saved.