{
	"id": "dadf52c7-0e0f-49c7-94e2-06b68870638e",
	"created_at": "2026-04-06T00:06:42.665409Z",
	"updated_at": "2026-04-10T03:21:48.718892Z",
	"deleted_at": null,
	"sha1_hash": "ae4dafe68875f885ea451189d6de10c4d1d4d5f2",
	"title": "Stored Credentials",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 69289,
	"plain_text": "Stored Credentials\r\nPublished: 2017-04-19 · Archived: 2026-04-02 10:51:39 UTC\r\nWhen an attacker has managed to gain access on a system one of his first moves is to search the entire system in\r\norder to discover credentials for the local administrator account which it will allow him to fully compromise the\r\nbox. This is of course the easiest method of escalating privileges in a Windows system and the purpose of this\r\narticle is to examine some common places of where these credentials might exist in order to assist with this\r\nprocess.\r\nWindows Files\r\nIt is very common for administrators to use Windows Deployment Services in order to create an image of a\r\nWindows operating system and deploy this image in various systems through the network. This is called\r\nunattended installation. The problem with unattended installations is that the local administrator password is\r\nstored in various locations either in plaintext or as Base-64 encoded. These locations are:\r\n1\r\n2\r\n3\r\n4\r\n5\r\nC:\\unattend.xml\r\nC:\\Windows\\Panther\\Unattend.xml\r\nC:\\Windows\\Panther\\Unattend\\Unattend.xml\r\nC:\\Windows\\system 32 \\sysprep.inf\r\nC:\\Windows\\system 32 \\sysprep\\sysprep.xml\r\nThere is a Metasploit module which can discover credentials via unattended installations:\r\n1 post/windows/gather/enum_unattend\r\nIf the system is running an IIS web server the web.config file should be checked as it might contain the\r\nadministrator password in plaintext. The location of this file is usually in the following directories:\r\n1\r\n2\r\nC:\\Windows\\Microsoft.NET\\Framework 64 \\v 4.0 . 30319 \\Config\\web.config\r\nC:\\inetpub\\wwwroot\\web.config\r\nA sample of a web.config file with the administrator credentials can be seen below:\r\nhttps://pentestlab.blog/2017/04/19/stored-credentials/\r\nPage 1 of 5\n\n1\n2\n3\n4\n5\n6\n7\n8\n9\n10\n11\n12\n?xml version= \"1.0\" encoding= \"UTF-8\" ?\u003e\nLocal administrators passwords can also retrieved via the Group Policy Preferences. The Groups.xml file which\ncontains the password is cached locally or it can be obtained from the domain controller as every domain user has\nread access to this file. The password is in an encrypted form but Microsoft has published the key and it can be\ndecrypted.\n1\n2\nC:\\ProgramData\\Microsoft\\Group Policy\\History\\????\\Machine\\Preferences\\Groups\\Groups.xml\n\\\\????\\SYSVOL\\\\Policies\\????\\MACHINE\\Preferences\\Groups\\Groups.xml\nExcept of the Group.xml file the cpassword attribute can be found in other policy preference files as well such as:\n1\n2\n3\n4\n5\nServices\\Services.xml\nScheduledTasks\\ScheduledTasks.xml\nPrinters\\Printers.xml\nDrives\\Drives.xml\nDataSources\\DataSources.xml\nhttps://pentestlab.blog/2017/04/19/stored-credentials/\nPage 2 of 5\n\nCommands\r\nInstead of manually browsing all the files in the system it is also possible to run the following command in order\r\nto discover files that contain the word password:\r\n1\r\n2\r\n3\r\nfindstr /si password *.txt\r\nfindstr /si password *.xml\r\nfindstr /si password *.ini\r\nAlternatively the following commands from the C: drive will return the location of the files that elevated\r\ncredentials might be stored:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\nC:\\\u003e dir /b /s unattend.xml\r\nC:\\\u003e dir /b /s web.config\r\nC:\\\u003e dir /b /s sysprep.inf\r\nC:\\\u003e dir /b /s sysprep.xml\r\nC:\\\u003e dir /b /s *pass*\r\nC:\\\u003e dir /b /s vnc.ini\r\nThird Party Software\r\nMcAfee\r\nMost Windows systems they are running McAfee as their endpoint protection. The password is stored encrypted\r\nin the SiteList.xml file:\r\n1 %AllUsersProfile%Application Data\\McAfee\\Common Framework\\SiteList.xml\r\nVNC\r\nAdministrators some times tend to use VNC software instead of Windows Terminal Services for remote\r\nadministration of the system. The password is encrypted but there are various tools that can decrypt it.\r\nUltraVNC\r\nhttps://pentestlab.blog/2017/04/19/stored-credentials/\r\nPage 3 of 5\n\n1\r\n2\r\n[ultravnc]\r\npasswd= 5 FAEBBD 0 EF 0 A 2413\r\nRealVNC\r\nIn RealVNC the hashed password is located in the following registry key:\r\n1 reg query HKEY_LOCAL_MACHINE\\SOFTWARE\\RealVNC\\WinVNC 4 /v password\r\nPutty\r\nPutty clear text proxy credentials can be found in the following directory:\r\n1 reg query \" HKCU\\Software\\SimonTatham\\PuTTY\\Sessions\"\r\nRegistry\r\nRegistry can be queried as in some occasions might contain credentials.\r\n1\r\n2\r\nreg query HKLM /f password /t REG_SZ /s\r\nreg query HKCU /f password /t REG_SZ /s\r\nWindows Autologin:\r\n1 reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon\"\r\nSNMP Parameters:\r\n1 reg query \"HKLM\\SYSTEM\\Current\\ControlSet\\Services\\SNMP\"\r\nPowerSploit\r\nPowerSploit can be used as a tool for the discovery of stored credentials. Specifically it supports the following\r\nmodules which will check for credentials encrypted or plain-text in various files and in the registry:\r\nhttps://pentestlab.blog/2017/04/19/stored-credentials/\r\nPage 4 of 5\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\nGet-UnattendedInstallFile\r\nGet-Webconfig\r\nGet-ApplicationHost\r\nGet-SiteListPassword\r\nGet-CachedGPPPassword\r\nGet-RegistryAutoLogon\r\nPost navigation\r\nSource: https://pentestlab.blog/2017/04/19/stored-credentials/\r\nhttps://pentestlab.blog/2017/04/19/stored-credentials/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://pentestlab.blog/2017/04/19/stored-credentials/"
	],
	"report_names": [
		"stored-credentials"
	],
	"threat_actors": [],
	"ts_created_at": 1775434002,
	"ts_updated_at": 1775791308,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ae4dafe68875f885ea451189d6de10c4d1d4d5f2.pdf",
		"text": "https://archive.orkl.eu/ae4dafe68875f885ea451189d6de10c4d1d4d5f2.txt",
		"img": "https://archive.orkl.eu/ae4dafe68875f885ea451189d6de10c4d1d4d5f2.jpg"
	}
}