Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#3546] No subject

Browse source
This commit is contained in:
CPol 2022-10-03 22:05:12 +00:00 committed by gitbook-bot
parent ee0e653547
commit 022668bd49
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
2 changed files with 23 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
View file

@ -36,9 +36,10 @@ Let us take a look at the most common artifacts stored by browsers.
* **Logins:** Self Explanatory.
* **Favicons:** They are the little icons found in tabs, urls, bookmarks and the such. They can be used as another source to get more information about the website or places the user visited.
* **Browser Sessions:** Self Explanatory.
* \*\*Downloads:\*\*Self Explanatory.
* **Downloads**: Self Explanatory.
* **Form Data:** Anything typed inside forms is oftentimes stored by the browser, so the next time the user enters something inside of a form the browser can suggest previously entered data.
* **Thumbnails:** Self Explanatory.
* **Custom Dictionary.txt**: Words added to the dictionary by the user.
## Firefox

21
windows-hardening/windows-local-privilege-escalation/README.md
View file

@ -919,6 +919,23 @@ You can **extract many DPAPI** **masterkeys** from **memory** with the `sekurlsa
[dpapi-extracting-passwords.md](dpapi-extracting-passwords.md)
{% endcontent-ref %}
### PowerShell Credentials
**PowerShell credentials** are often used for **scripting** and automation tasks as a way to store encrypted credentials conveniently. The credentials are protected using **DPAPI**, which typically means they can only be decrypted by the same user on the same computer they were created on.
To **decrypt** a PS credentials from the file containing it you can do:
```
PS C:\> $credential = Import-Clixml -Path 'C:\pass.xml'
PS C:\> $credential.GetNetworkCredential().username
john
PS C:\htb> $credential.GetNetworkCredential().password
JustAPWD!
```
### Wifi
```bash
@ -951,6 +968,10 @@ HKCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Use the **Mimikatz** `dpapi::rdg` module with appropriate `/masterkey` to **decrypt any .rdg files**\
You can **extract many DPAPI masterkeys** from memory with the Mimikatz `sekurlsa::dpapi` module
### Sticky Notes
People often use the StickyNotes app on Windows workstations to **save passwords** and other information, not realizing it is a database file. This file is located at `C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite` and is always worth searching for and examining.
### AppCmd.exe
**Note that to recover passwords from AppCmd.exe you need to be Administrator and run under a High Integrity level.**\