In this very special Halloween episode, prepared to be scared. Brad and Spencer discuss the common and not so common locations that we find credentials during penetration tests. This includes plaintext credentials and other types of credential material like API keys.
Unsecured Credentials and Where to Find Them
- The hosts introduce the topic of finding user credentials, which is a common way to move laterally in environments.
- They mention that they received great feedback from the community regarding a tweet on this topic.
- The purpose of this episode is to shed light on both common and uncommon locations where credentials can be found.
Common Locations for Finding Credentials
Unattend File
- The unattend.xml file located in C:\Windows\Panther is one of the first places to look for credentials during engagements.
- This file is used for Microsoft deployment and can contain obfuscated Base64-encoded credentials.
- If these credentials are still being used for the local administrator account, they can be exploited to gain access.
File Shares
- File shares are another common location where user credentials can be found.
- Pentesters often refer to themselves as “fileshare archaeologists” due to frequently encountering sensitive data or credentials within file shares.
Additional Locations
- The hosts mention that there are many other areas in an environment where credentials may exist but focus on highlighting lesser-known places throughout the episode.
Section Overview: In this section, Mr. Spencer continues discussing additional locations where user credentials can be found.
Group Policy Preferences
- Group Policy Preferences (GPP) is a feature in Windows that allows administrators to manage settings.
- GPP can store credentials in an insecure manner, making them accessible to attackers.
Registry Keys
- Certain registry keys may contain credentials, such as those used for automatic logins or network authentication.
- Attackers can search for these keys to find valuable credentials.
Scheduled Tasks
- Scheduled tasks often run with elevated privileges and may store credentials for authentication purposes.
- Examining scheduled tasks can reveal potential credential sources.
Web Browsers
- Web browsers, such as Chrome and Firefox, have built-in password managers that store user credentials.
- These stored passwords can be targeted by attackers.
Section Overview: In this section, Mr. Spencer continues discussing additional locations where user credentials can be found.
Credential Manager
- The Credential Manager in Windows stores various types of credentials, including usernames and passwords.
- Attackers can target this storage location to obtain sensitive information.
Email Clients
- Email clients like Microsoft Outlook often store login information for email accounts.
- Accessing these clients’ configurations can lead to the discovery of valuable credentials.
Configuration Files
- Configuration files used by applications may contain plaintext or encrypted credentials.
- Attackers can search for these files to extract useful information.
Section Overview: In this section, Mr. Spencer continues discussing additional locations where user credentials can be found.
Memory Dumps
- Memory dumps from compromised systems can contain valuable information, including user credentials.
- Analyzing memory dumps can help identify credential sources.
Active Directory
- Active Directory is a common target for attackers looking to obtain user credentials.
- Attackers may exploit vulnerabilities or misconfigurations within Active Directory to gain access.
Social Engineering
- Social engineering techniques, such as phishing or impersonation, can be used to trick users into revealing their credentials.
- This method relies on human interaction rather than technical vulnerabilities.
Section Overview: In this section, Mr. Spencer concludes the discussion on finding user credentials by highlighting additional locations and providing closing remarks.
Local Configuration Manager (LCM)
- The Local Configuration Manager in Windows PowerShell DSC (Desired State Configuration) may store sensitive data, including credentials.
- Attackers can search for LCM configurations to find potential credential sources.
Conclusion
- The hosts conclude the episode by emphasizing the importance of understanding where user credentials can be found in an environment.
- They encourage IT admins and pentesters to explore both common and lesser-known locations for better security practices and engagements.
Note: Timestamps are approximate and may vary slightly depending on the video version.
5:48 File Shares and Unsecured Credentials
Section Overview: The speaker discusses the challenge of dealing with sensitive data and unsecured credentials in file shares. They mention that file shares are a common place to find credentials and suggest cleaning up file shares as a starting point for IT admins.
File Shares as a Source of Credentials
- File shares often contain unsecured credentials.
- Cleaning up file shares is an effective way to tackle this issue.
- IT admins should prioritize searching for credentials in file shares.
6:13 Registry and Remote Access Software
Section Overview: The speaker highlights the registry as another location where credentials can be found, particularly if remote access software like VNC, Putty, or SSH tools are installed. They emphasize the importance of searching through the registry to uncover potential credential leaks.
Registry and Remote Access Software
- Remote access tools like VNC, Putty, or SSH tools can leave credentials in memory.
- Searching through the registry can reveal sensitive data, including encrypted or unencrypted credentials.
- Tools like MOA X term may also store credential material incorrectly in the registry.
6:45 Logon Scripts as a Source of Credentials
Section Overview: The speaker discusses logon scripts as a potential source of unsecured credentials. They explain that logon scripts used to map or mount network shares can sometimes include usernames and passwords. These scripts are often readable by all users in the environment unless secured properly.
Logon Scripts and Network Share Mounting
- Logon scripts used for network share mounting may contain usernames and passwords.
- By default, these logon scripts are readable by all users in the environment.
- Securing logon scripts is crucial to prevent unauthorized access to sensitive credentials.
6:51 Importance of Cleaning Up Logon Scripts
Section Overview: The speaker emphasizes the significance of cleaning up logon scripts to remove any unsecured credentials. They mention that logon scripts are commonly used for convenience or to restrict access, but they can pose a security risk if not properly managed.
Cleaning Up Logon Scripts
- Logon scripts should be cleaned up to eliminate unsecured credentials.
- Two common scenarios for using logon scripts are convenience and restricting access.
- Proper permissions and access control should be applied instead of relying on logon scripts.
7:10 Group Policy as a Source of Unsecured Credentials
Section Overview: The speaker discusses how Group Policy can be another avenue for unsecured credentials. They mention that storing credentials in Group Policy preferences or using it for automatic login on kiosk machines can lead to potential security vulnerabilities.
Group Policy and Unsecured Credentials
- Storing credentials in Group Policy preferences can expose them to all users by default.
- Automatic login configurations on kiosk machines often involve storing credentials in Group Policy.
- Access control and securing Group Policy settings is essential to prevent unauthorized access.
7:29 Document Management Systems in Law Firms
Section Overview: The speaker highlights document management systems used in law firms as a significant source of unsecured credentials. These systems, such as Aderant, NetDocs, or iManage, require widespread user access, making it challenging to implement least privilege principles.
Document Management Systems in Law Firms
- Document management systems used in law firms often require broad user access.
- Implementing proper permission controls within these systems can be complex.
- Least privilege principles may be difficult to achieve due to the nature of these systems.
9:30 Summary: Recognizing Credential Locations
Section Overview: The speaker summarizes the importance of recognizing various locations where credentials may exist. They encourage IT professionals to proactively search for and eliminate unsecured credentials from file shares, registry entries, logon scripts, Group Policy settings, and document management systems.
Recognizing Credential Locations
- Credentials can be found in file shares, registry entries, logon scripts, Group Policy settings, and document management systems.
- Proactive searching and elimination of unsecured credentials is crucial for maintaining security.
- Understanding where credentials may exist helps in identifying potential vulnerabilities.
11:40 Document Management System as Password Manager
Section Overview: The speaker discusses how document management systems are often used as password managers by some users. This poses a security risk as these systems contain both corporate and personal credentials.
- Users often use document management systems as password managers, storing passwords for various accounts.
- Personal information such as PayPal, Amazon, credit card numbers, and social security numbers are also stored in these systems.
- Law firms are particularly prone to this practice, making their document management systems a target for attackers.
- Accessing the document management system is a primary goal during penetration testing.
12:12 Risk of Storing Sensitive Information in Document Management Systems
Section Overview: The speaker highlights the common practice of storing sensitive information in document management systems and emphasizes the need for better risk management.
- Law firms commonly store sensitive information in their document management systems.
- Evidence intake processes often involve securing files with passwords that are easily discoverable within the system.
- Storing passwords alongside evidence compromises security and should be avoided.
- Active Directory attributes like description and notes can also contain credentials or other sensitive information.
- Old or legacy credentials found in these attributes can provide insights into password construction patterns.
13:52 Canary Accounts and Vendor Security Risks
Section Overview: The speaker discusses the concept of canary accounts and highlights potential security risks associated with vendor installations.
- When discovering credentials in an environment, converting them to canary accounts can help detect unauthorized access attempts.
- Automated installations of enterprise toolsets sometimes include sensitive information in descriptions or computer objects/accounts used as service accounts.
- Overprivileged accounts created during vendor installations pose a significant security risk if not properly managed.
16:02 Importance of Reading Installation Wizards Carefully
Section Overview: The speaker emphasizes the importance of carefully reading installation wizards to avoid unintended consequences and security risks.
- During installations, the wizard operates in the context of the user performing the installation.
- Clicking through without reading can lead to overprivileged accounts or unintended security vulnerabilities.
- Similar to end-user license agreements, neglecting to read installation wizards can result in cleanup efforts later on.
16:54 Common Security Issues in Web Applications
Section Overview: The speaker highlights that common security issues discussed earlier also apply to web applications, such as HTML comments and JavaScript files containing sensitive information.
- Security issues encountered in internal environments, like file shares and group policies, are also prevalent in web applications.
- HTML comments and JavaScript files often contain sensitive information.
- Pre-populated fields or default credentials during web application installations can lead to security vulnerabilities if not properly managed.
Note: The summary has been provided based on the available transcript.
17:35 Common Locations for Credentials
Section Overview: In this section, the speaker discusses common locations where credentials can be found during a penetration test. They mention PowerShell console history files, log files, config files, and email as potential sources of credentials.
PowerShell Console History Files
- The speaker mentions using a PowerShell script to search for specific strings like passwords and credentials in the PowerShell console history file on servers.
- Admins often use PowerShell for administrative tasks and may inadvertently enter credentials insecurely.
Log Files
- Log files, especially those generated by PowerShell or third-party applications, can contain verbose debug logging that may include credentials.
- The speaker emphasizes the importance of checking log files in web application security assessments as they may reveal hardcoded credentials.
Config Files
- Application configuration files, particularly in .NET applications, are commonly searched for hardcoded usernames and passwords.
- Even if web applications are logically or physically separated into different layers, dropping plaintext credentials in config files undermines security measures.
- Email is another potential source of credentials.
- The speaker highlights the notes section of Outlook contacts as a lesser-known location where individuals may store passwords.
19:38 Log Files and Config Files in Web Application Security
Section Overview: In this section, the speaker focuses on log files and config files within the context of web application security. They discuss how hardcoded database credentials in log files can be exploited and highlight the prevalence of plaintext usernames and passwords in config files.
Log Files in Web Application Security
- Web applications often authenticate with databases or other systems, which leads to logging these interactions.
- If database credentials are hardcoded into an application’s codebase, they can be discovered via log files.
- Some custom web apps may have vulnerabilities that allow unauthorized access to certain log files.
Config Files in Web Application Security
- Application configuration files (e.g., web.config in .NET) are commonly searched for hardcoded usernames and passwords.
- Despite the logical or physical separation of different layers in web applications, plaintext credentials in config files can compromise security measures.
22:08 Lesser Known Locations for Credentials
Section Overview: In this section, the speaker discusses lesser-known locations where credentials may be stored. They specifically mention the notes section of Outlook contacts as a surprising place where individuals may store passwords.
Notes Section of Outlook Contacts
- The speaker shares an anecdote from a security assessment where someone admitted to storing passwords in the notes section of their Outlook contacts.
- This location may not be commonly considered when assessing credential security.
- It serves as a reminder that credentials can be found in unexpected places.
Note: The transcript provided does not contain any timestamps beyond this point.
23:23 Finding Compromised Accounts
Section Overview: The speaker discusses the process of compromising an account and highlights the common occurrence of receiving multiple account setup notifications. They mention a technique they used to search for compromised accounts by going back to the first email received, often a welcome email containing passwords. This method can be effective in identifying unsecured credentials.
Searching for Unsecured Credentials
- The speaker shares their experience during a recent pentest where they discovered unsecured credentials in an unexpected location.
- While searching through file shares, they came across a folder that caught their attention.
- Despite initial hesitation, they decided to investigate further and found vmdk files several layers deep within the folder.
- Using a tool called Volumizer, they were able to mount and navigate through the virtual machine disk files (vmdk).
- By extracting hashes from these files using Secret Stump, they obtained a local administrator password hash.
- Spraying this password hash in the environment granted them access to multiple servers.
- Taking it one step further, they cracked the hash and gained even more accounts, ultimately compromising the entire environment.
26:30 Lesser Known Locations for Unsecured Credentials
Section Overview: The speaker explores lesser-known locations where unsecured credentials can be found. They discuss network access accounts in Microsoft Configuration Manager (formerly known as SecM) and AD Sync accounts used for Azure AD Sync.
Network Access Accounts in Microsoft Configuration Manager
- Network access accounts are encrypted on machines managed by Microsoft Configuration Manager (SecM).
- If an attacker gains local admin rights on such a machine, they can extract encryption keys and decrypt these credentials.
- These decrypted credentials often belong to highly privileged service accounts with server admin or domain admin privileges.
AD Sync Accounts
- AD Sync is used to synchronize on-premises environments with Azure AD.
- Two accounts are used for this synchronization and are stored encrypted on the server running the AD Sync service.
- If an attacker has local admin rights, they can obtain the encryption keys and decrypt these accounts’ plaintext passwords.
- The danger lies in the fact that these AD Sync accounts have DC sync rights, allowing attackers to recover any account in the environment.
28:58 Crash Dumps as a Source of Information
Section Overview: The speaker discusses crash dumps as a potential source of valuable information. They mention that crash dumps have gained more attention recently due to Microsoft’s focus on them.
Importance of Crash Dumps
- Crash dumps were not widely explored until recently when they gained significant attention.
- Microsoft’s emphasis on crash dumps has brought them into the spotlight as a valuable source of information for security professionals and red teamers.
Note: The transcript ends here.
29:41 Finding Credentials in Applications
Section Overview: The speaker discusses various places where credentials can be found within applications and provides tips for identifying them.
Places to Look for Credentials
- 29:41 API keys and other credentials may be coded within the inner workings of an app.
- 30:01 AutoHotkey scripts can store credentials used for logging into systems or mounting shares.
- 30:23 Sticky note widgets are commonly used to store passwords, making them a potential source of credentials.
- 30:45 Documents uploaded to VirusTotal, especially those suspected of containing malware, may contain leaked credentials.
- 31:05 SharePoint portals often contain company information and documents, including sensitive data such as passwords.
- 31:42 Searching for password-related terms in SharePoint can reveal stored credentials.
Tips for Identifying Credentials
- 32:00 Look for default patterns in user passwords, such as using their last name followed by their birth date.
- 32:39 Conduct thorough manual searches through file shares, document management systems, and SharePoint to find unsecured credentials.
- 32:59 Consider automating the search process with PowerShell scripts once initial cleanup is done manually.
- 33:50 Commercial tools can help automate the identification of sensitive data in documents but can be expensive. Start with manual efforts before investing in these tools.
- 34:09 Educate users about the importance of not storing sensitive information outside secure systems and provide them with password management tools.
34:28 Conclusion
Section Overview: The speaker concludes the discussion by thanking the audience and encouraging them to share the episode. They also emphasize the importance of user education and providing password management tools to prevent credential leakage.
Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://twitter.com/cyberthreatpov
Work with Us: https://securit360.com