findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml
Sensitive IIS information such as credentials may be stored in a web.config file. For the default IIS website, this could be located at C:\inetpub\wwwroot\web.config
, but there may be multiple versions of this file in different locations, which we can search for recursively
If a password is saved to dictionary to avoid red underlines:
gc 'C:\Users\htb-student\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password
interchange password for any keyword
Check for unattend.xml
Starting with Powershell 5.0 in Windows 10, PowerShell stores command history to the file:
To check history path:
gc (Get-PSReadLineOption).HistorySavePath
To check all history files:
foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}
We can obtain cleartext passwords from encrypted.xml
$credential = Import-Clixml -Path 'C:\scripts\pass.xml'
People sometimes save passwords in sticky notes: Located at
Open it using DB Browser for SQLite And use commands such as select Text from Note;.
Can also be opened using powershell
Can also use strings plum.sqlite-wal
on linux.
%WINDIR%\repair\software, %WINDIR%\repair\security
C:\Program Files\Windows PowerShell\*