You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: presence/windows/blind.md
+3-4Lines changed: 3 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,4 +1,3 @@
1
-
2
1
# Windows Blind Files
3
2
4
3
In some cases during exploitation you as an attacker gain the ability to read arbitrary files. As an attacker you need go-to files that cover as many different OS versions as possible in order to either confirm exploitation or gather intelligence on the exploited system. For this we use a "blind file".
@@ -9,8 +8,8 @@ The files below are things to pull when all you can do is to blindly read. Examp
9
8
| -------- | ------------------------ |
10
9
|`%SYSTEMDRIVE%\boot.ini`| A file that can be counted on to be on virtually every windows host. Helps with confirmation that a read is happening. **WARNING - in more recent versions of Windows this file in no longer there.**|
11
10
|`%WINDIR%\win.ini`| This is another file that can be counted on to be readable by all users of a system. |
12
-
|`%SYSTEMROOT%\repair\SAM`<br>`%SYSTEMROOT%\System32\config\RegBack\SAM`| Stores user passwords in either an [LM hash](https://en.wikipedia.org/wiki/LM_hash) and/or an [NTLM hash](https://en.wikipedia.org/wiki/NTLM) format. The SAM file in \repair is locked, but can be retrieved using forensic or [Volume Shadow copy methods](http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1.html). |
13
-
|`%SYSTEMROOT%\repair\system`<br>`%SYSTEMROOT%\System32\config\RegBack\system`| This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system. The SYSTEM file in \repair is locked, but can be retrieved using forensic or [Volume Shadow copy methods](http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1.html). |
11
+
|`%SYSTEMROOT%\repair\SAM`<br>`%SYSTEMROOT%\System32\config\SAM`<br>`%SYSTEMROOT%\System32\config\RegBack\SAM`| Stores user passwords in either an [LM hash](https://en.wikipedia.org/wiki/LM_hash) and/or an [NTLM hash](https://en.wikipedia.org/wiki/NTLM) format. The SAM file in \repair is locked, but can be retrieved using forensic or [Volume Shadow copy methods](http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1.html). |
12
+
|`%SYSTEMROOT%\repair\SYSTEM`<br>`%SYSTEMROOT%\System32\config\SYSTEM`<br>`%SYSTEMROOT%\System32\config\RegBack\SYSTEM`| This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system. The SYSTEM file in \repair is locked, but can be retrieved using forensic or [Volume Shadow copy methods](http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1.html). |
14
13
|`%SYSTEMDRIVE%\autoexec.bat`| autoexec.bat is a startup script that executes at startup. As [Webopedia states](http://www.webopedia.com/TERM/A/autoexec_bat.html), “Stands for automatically executed batch file, the file that DOS automatically executes when a computer boots up. This is a convenient place to put commands you always want to execute at the beginning of a computing session. For example, you can set system parameters such as the date and time, and install memory-resident programs.” |
15
14
|`%SYSTEMDRIVE%\pagefile.sys`| This file is used by the operating system when there is not enough RAM (memory) in the system. It is a large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size. |
16
15
|`%SYSTEMROOT%\repair\SAM` <br> `%SYSTEMROOT%\System32\config\RegBack\SAM`| These files store the LM and NTLM hashes for local users. Using [Volume Shadow Copy](http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1.html) or [Ninja Copy](http://clymb3r.wordpress.com/2013/06/13/using-powershell-to-copy-ntds-dit-registry-hives-bypass-sacls-dacls-file-locks/) you can retrieve these files. |
@@ -26,4 +25,4 @@ The files below are things to pull when all you can do is to blindly read. Examp
26
25
|`%WINDIR%\system32\config\default.sav`<br>`%WINDIR%\system32\config\security.sav`<br>`%WINDIR%\system32\config\software.sav`<br>`%WINDIR%\system32\config\system.sav`| Backup Windows registry files (http://forensics.wikia.com/wiki/Windows_registry_entries)|
27
26
|`%WINDIR%\system32\logfiles\httperr\httperr1.log`| IIS 6.x web server error logs. |
28
27
|`%WINDIR%\system32\logfiles\w3svc1\exYYMMDD.log` where YYMMDD = year month day | Web server log files. |
29
-
|`unattend.txt, unattend.xml, unattended.xml, sysprep.inf`| Used in the automated deployment of Windows images and can contain user accounts. Sometimes found in the `%WINDIR%\Panther\` directory. |
28
+
|`unattend.txt, unattend.xml, unattended.xml, sysprep.inf`| Used in the automated deployment of Windows images and can contain user accounts. Sometimes found in the `%WINDIR%\Panther\` directory. |
0 commit comments