Passwords in files

Theory

In organization networks, it is common to find passwords in random files (logs, config files, personal documents, Office documents, ...). Other credential dumping techniques (SAM & LSA, NTDS.dit, some web browsers, ...) could be considered as sub-techniques of credential dumping from files. This recipe focuses on the techniques that allow to gather password and sensitive information from generic and random files other than the ones involved in the sub-techniques mentioned before.

Practice

UNIX-like
Windows
From UNIX-like systems, the manspider (Python) tool can be used to find sensitive information across a number of shares.
1
manspider.py --threads 50 $IP_RANGE/$MASK -d $DOMAIN -u $USER -p $PASSWORD --content passw login username secret
Copied!
Manually, shares can be mounted and grepped for interesting information.
From Windows systems, the following commands should help find interesting information across local files and network shares.
1
findstr /snip password *.xml *.ini *.txt
2
findstr /snip password *
Copied!
โ€‹PowerSploit's PowerView (Powershell) module can be used to find interesting files as well.
1
Find-InterestingFile -LastAccessTime (Get-Date).AddDays(-7)
2
Find-InterestingFile -Include "private,confidential"
3
Find-InterestingFile -Path "\\$SERVER\$Share" -OfficeDocs
Copied!
Last but not least, one of the best tools to find sensitive information across a number of shares and local files is Snaffler (C#).
1
snaffler.exe -s -o snaffler.log
Copied!

Resource

GitHub - SnaffCon/Snaffler: a tool for pentesters to help find delicious candy, by @l0ss and @Sh3r4 ( Twitter: @/mikeloss and @/sh3r4_hax )
GitHub
GitHub - blacklanternsecurity/MANSPIDER: Spider entire networks for juicy files sitting on SMB shares. Search filenames or file content - regex supported!
GitHub
Last modified 1mo ago
Copy link