Posts: 102
Threads: 35
Joined: Oct 2014
I am trying to learn about privilege escalation and at one point the tutorials says to try a registry search for passwords.
i.e.
reg query HKCU /f password /t REG_SZ /s
and
reg query HKLM /f password /t REG_SZ /s
I have some passwords that returned that seem to be encrypted, what encryption do they use?
Posts: 2,266
Threads: 16
Joined: Feb 2013
while you are on that learning trip, I think it wouldn't hurt to read this about "encrypted passwords":
https://www.techsolvency.com/passwords/d...ecrypting/
Posts: 102
Threads: 35
Joined: Oct 2014
Thanks for the article and mild rebuke. Actually I have been guilty of using the wrong terminology and my understanding is clearer now.
Although, in my question above I thought I asked a legitimate question.
If passwords are retrieved from the registry are they stored as base64?
Posts: 803
Threads: 135
Joined: Feb 2011
Passwords from the registry can be everything. Which password are you talking about?
It can be Windows passwords (LM, NTLM), it can be application password (FTP, etc.), please be more specific about the one(s) your have found.
Posts: 102
Threads: 35
Joined: Oct 2014
Here is one of the results from the registry pull.
HKEY_CURRENT_USER\Software\pdfforge\PDFCreator\Settings\ApplicationSettings\Accounts\TimeServerAccounts\0
Password REG_SZ xxxxxxmCO6g=
(I x'd out half of the password)
Posts: 2,301
Threads: 11
Joined: Jul 2010
There is no generic answer to that, it depends on the software that put the info there. The password could be hashed, encrypted or simply encoded.
Posts: 803
Threads: 135
Joined: Feb 2011
The '=' at the end *migth* be a padding, often used by base64/32 encoding.
+1 you need to know how the software writes it.
Posts: 102
Threads: 35
Joined: Oct 2014
Thanks for the info. I'll take a deeper look.
