Credientals Share
Last updated
Last updated
We moved from "don't leave a sticky note with your password on your computer to dont leave your passwords in a shared file"
We often find credentials in network shares within scripts and configuration files.
The first step is to see what shared files exist.
We can use to do this
The final output contains a list of non-default shares that the current user account has at least read access to
If we see a share with a dollar sign, the file explorer wont show the contents because of the dollar sign.
However, since we have the UNC path from the output, if we browse to it, we will be able to see the contents inside the share:
/s forces to search the current directory and all subdirectories
/i ignores case in the search term
/m shows only the filename for a file that matches the term. We highly need this in real production environments because of the huge amounts of text that get returned. For example, this can be thousands of lines in PowerShell scripts that contain the PassThru parameter when matching for the string pass.
The term that defines what we are looking for. Good candidates include pass, pw, and the NETBIOS name of the domain. In the playground environment, it is eagle. Attractive targets for this search would be file types such as .bat, .cmd, .ps1, .conf, .config, and .ini. Here's how findstr can be executed to display the path of the files with a match that contains pass relative to the current location
If we remove the "/m" it will display the exact file location:
One obvious and yet uncommon search term is the NetBIOS name of the domain. Commands such as runas and net take passwords as a positional argument on the command line instead of passing them via pass, pw, or any other term. It is usually defined as /user:DOMAIN\USERNAME PASSWORD.
[!NOTE] Note Running findstr is noted by Windows Defender
Lock down every share
Perform scans of the shared files
Understanding and analyzing users' behavior is the best detection technique for abusing discovered credentials in shares.
Best detection method = understanding normal user behavior
Analyze:
Login time
Login location/device
4624 – Successful login
4625 – Failed login
4768 – Kerberos TGT request (used in domain logins)
Use a semi-privileged service account (e.g., svc-iis)
Created 2+ years ago
Last password change: at least 1 year ago
File with fake password must be newer than last password change
Account must still be active
Script/file should look realistic (e.g., MSSQL connection string with fake password)
Since the password is wrong → expect failed logon attempts
Monitor Windows Event IDs:
4625 – Failed login
4771 – Kerberos pre-auth failed
4776 – NTLM authentication failed
Connect to the target and enumerate the available network shares. What is the password of the Administrator2 user?
Import the Powerview.ps1 script to utilize Invoke-ShareFinder for identifying domain shares, also enable script execution.
Search all the shares but we will try first the dev$ share for the Administrator2 password. cd into the dev$ share. And run the following command.
Answer: Slavi920
A few automated tools exist, such as , which can parse a collection of files and pick up matching words. But if there are a few, like in our scenariu, we can do it manually (Living of the Land) and use the findstr command
