Credential Hunting
Find password files:
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xmlSensitive IIS information such as credentials may be stored in a web.config file. For the default IIS website, this could be located at C:\inetpub\wwwroot\web.config, but there may be multiple versions of this file in different locations, which we can search for recursively
Dictionary Files
If a password is saved to dictionary to avoid red underlines:
gc 'C:\Users\htb-student\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String passwordinterchange password for any keyword
Unattended Installation Files
Check for unattend.xml
PowerShell History File
Starting with Powershell 5.0 in Windows 10, PowerShell stores command history to the file:
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt.To check history path:
gc (Get-PSReadLineOption).HistorySavePathTo check all history files:
Powershell creds
We can obtain cleartext passwords from encrypted.xml
Check Sticky Notes
People sometimes save passwords in sticky notes: Located at
Open it using DB Browser for SQLite And use commands such as select Text from Note;. Can also be opened using powershell
Can also use strings plum.sqlite-wal on linux.
Files of Interest
Last updated
Was this helpful?