Interesting Files

Search for a file named user.txt

dir usert.txt /s /p
# The /s option directs a search of all folders on the hard drive
# The /p option pauses the display after each screen of text.

Search for the string "password" in different file extensions

findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini 

cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config
findstr /spin "password" *.*

Search for a file with a certain filename

dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini

Search the registry for key names and passwords

REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K

reg query HKLM /f password /t REG_SZ /s
reg query HKLM /f passwd /t REG_SZ /s

reg query HKU /f password /t REG_SZ /s
reg query HKU /f passwd /t REG_SZ /s

reg query HKCU /f password /t REG_SZ /s
reg query HKCU /f passwd /t REG_SZ /s

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"   
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials
reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password"

Powershell History File

 type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

PreviousAbusing Files Permissions NextFile Transfer Methods

Last updated 5 years ago