Hello and welcome back to this course. In this video we're going to be talking about gaining access to credentials that are cached on a system. And so in this particular video, we're going to be talking about the Windows registry. So if you're not familiar with, the Windows registry is essentially just a giant configuration file or database for the Windows operating system and the applications that run on it. Essentially if you've got a program running on Windows and it wants to ensure that certain information persist across reboots is accessible etcetera. It's probably somewhere in the registry and so messing around with the registry can be dangerous if you don't know what you're doing. However, what we're going to be doing in this video, which is reading from the registry is fairly safe. And so the reason why we're talking about the registry in this credential access video is because configuration files, which as I mentioned is what the registry essentially is can include useful or sensitive information. For example, I've got this particular registry key open because of this right here. So here we see that we have a registry value with the name, Vimeo password. So the password here isn't the real one. But it shows that it's possible that an application might have useful information cached in the registry. Even if we don't get so lucky as to find an actual password in the registry there is the potential that we might find pointers to passwords or things nearly as good as passwords. For example, if you've got Putty for using SSH on Windows then the registry includes entries for the locations of the private key files. If you're using ORSA key s or something similar for logins. And so by searching through the registry we can quickly and more easily find that sensitive information on a system. And so I said that the registry doesn't have a lot in the way of password information theory. But actually it's the main location for a lot of password information. We're not going to be working through this now. But the Windows SAM file is essentially where a lot of the user credentials are cached on a system. And so use a tool to dump the SAM file like my MCATs. You could then extract password hashes and work on cracking those as well. Not going to dive into that in this video. But it's another useful thing to know. And so let's talk about searching the Windows registry. So lucky for us when we're using python, there's a library called vinreg that provides all of the functionality that we need. If we want to access the Windows registry, read data from it, edit registry keys etcetera. And so we can use for a variety of different purposes. But our goal here is just to do a keyword search through the registry. What we want is anything that matches certain keywords that might indicate useful information. So in this particular case we're going to look for two key words, password and key file. So when I opened up the registry editor a moment ago and indicated that one video password, our password key word here should match that. So we should see that pop up in our results. So if we didn't know it was there, we could discover it. We're going to use key file as well because as I mentioned Putty caches the locations of the RSA keys in the registry and key files, a keyword that should trigger for that. So we should get a couple of interesting results here for sure. And so now we have to talk about registry hives. So when I had the registry open here, we saw a couple of different column directories here. And so we see that we have Hkey current user, Hkey local machine and Hkey users. And so these are registry hives are essentially the top level keys for the registry. So the current user, as you might guess associated with the user account I'm using right now. Local machine is for this computer. And then Hkey users under the head are under the hood has keys for each of the user accounts on this machine. So this particular key pretty much exactly matches Hkey current user. And so we're going to be looking through these three current user, local machine and users for anything that we can find that's interesting on the system. And so and those are like I said called registry hives will loop over those in this particular case. We're going to call a function called search registry keys passing a hive, a directory location and keywords. And so I've included all three of these keys. Were really only going to be able to search two of them because of the current structure of the directory. So Hkey current user and Hkey local machine both have a software directory at the top level users does not it's buried one deeper. We could write the code to address that. But that adds another layer of complexity that we don't want to get into right now. And so we're not actually going to get any results from Hkey users. But we could if we either changed our search string to look for a particular user account. Or if we set this up to iterate over every user account within the registry as well. And so our search registry keys is just a helper function. We're going to pass in the hive which is combination of a printable representation of the hive and a vinreg in identify her for it. We'll have our path that we're looking for and are keywords. And we'll pass that to a function called traverse subkeys which will recursive, lee search through the registry for those keywords. And so in the registry we've got two different types of information that we need to search through. And the easiest way to think of it as those files and directories. And so as we saw and read in the registry editor, we have the potential for nested keys which are equivalent to nested directories. And then within each key we can have multiple different values. And so as we're recursive, lee searching through the registry, we need to look through and see for a particular key. Is there anything of interest in its values? And then does it have any subkeys? And if so, we should search through them as well. So we'll start out by looking at the values in this particular key. And so what we're going to do is call a function called values pass it the hive. So Hkl, Hkey local machine, Hkey current user, et cetera. And then the path we're looking at. So we're going to start out with just software but this past week will change as we recursed through the structure of the registry. Our sub values function is defined right here. And so what we're going to do here first is take advantage of vinrag to open a handle to the key whose path were indicating here. So we'll start out by opening up Hkey local machine software. And if we open that key successfully we're going to call query in fokey and the reason for this is that query in fokey returns an array of values. The first value is the number of subkeys. The second value is the number of values in that particular key. And so if we query that in fokey and then ask for the second value or index one. We know the number of values that are stored there. And the reason why we need this is that if we're going to use the minimum value function to request a value for a particular key, we need to know its index. And so if we know the number of total values, we can iterate over that those indices. Pulling out each value. And then here we're using the yield keyword so that this function will create a generator. So essentially the result of calling this function is that we'll have something we can iterate over. We're going to open the key query to know the number of values. Iterate over those values. And then each value is going to be added to that generator. Which we can then iterate over down here and traverse subkeys. And so for each of these values, we can then check to see if it meets our criteria for a match. And so here we're going to use a list comprehension for our matching. So we're going to iterate over our list of keywords. So that's just password and key file right now and see if those words are within the value. And so value of zero is the name of the value. So for example when we talked about that one that we saw in the registry, this would be Vimeo password. And so if we convert that to lower case with the lower function and try to match it with the lowercase string password we're going to get a true there. And then after that if we iterate through and try to match it with key file we're going to get a false so we've gotten array that says true false. And so here going to determine if we got any hits by saying true in that list and so we have a true and false. So there is a true in that list. So the result of this entire statement is true for that Vimeo password value and so matches true. And so then if matches true we're also going to test if value of two which is the third value in the array of that we get back from querying a value. We're going to see if it's in stringVals. And so what stringVals is just a list of the identifiers for the different string data types in the registry. So reg_sz multi sz and expand sz all can hold strengths. And so we're looking for strings because when we're doing this keyword search we're looking for passwords and potentially we're looking for the file names and paths for key files. And so both of those are going to be string data types. If we don't have this test here we're going to get a lot of false positives. There are a lot of keys and values in the windows registry that have the word password in them that have a binary value. So, some sort of indication of something is enabled or not enabled. And so if we ignore all of those results then we're only going to pull out the ones that have a chance of being what we actually want. And so if we've got something that matches our keyword and the corresponding data for that value is a string. We'll test to see if that value length is greater than zero. We don't want empty strings. And then we also have one more test we're doing. And so often when we'll find values in the registry where you'll have a number stored as a string so maybe 10.0. And so that's not a password and it's not a key file path. So it's not something we want. And so this little statement here is designed to determine if we've got a number. And so how you can do that is you take the actual data that's associated with this value. And we're using the replace function to replace a single period with nothing. So delete a single period and that comma one says only do it once. And so that means if we have a floating point value like 10.0 it becomes 100. Then we can call is digit on that which will determine if everything in there is a number now. And so we've deleted a single period. And so that means that floating point values will all be numbers then. And so if that's true then we're going to ignore this result because we want real strings, we don't want numbers. And so in the case where we get this result. We're going to print out the results saying, okay, this is the hive name were in the path here is the name of the value we've extracted and here's the data value associated with it. And so that covers our case of we've got looked through the values associated with this particular key. So in our direct file directory scheme we've looked at all the files in this folder. Now we need to look at any nested directories. And so for that we can call a subkeys function to enumerate those subkeys. And this works identically to our value enumeration function. The only difference here is that one we pull the first value from our result from query and fokey because that's the number of subkeys. And then we call, key instead of a name value. Otherwise it's the exact same. We're iterating over with that enumeration function and creating a generator that we can iterate over down here and traverse subkeys. So for each of these subkeys, what we get is we get the string that describes where we can find that. So maybe if we started out with software, we might get something like software, we might get Microsoft as our subkey. And so what we can do is we can combine that with our current path to get the key name for the directory or the key that we're looking at now. So just like you might have started out with C and then put on C users to get the users folder. We're putting our current path and the subkey that we've just extracted together. And so once we've done that, we're also going to see if in that subkey we've got a match. And so if we have a match in the name of that subkey, then we want to record the value of that subkey. The same sort of statement here just in case one of our subkeys happens to have the name password in it. We want to grab the value associated with it. And so if that's true, we're going to ask for its value. We're going to perform those same tests. And if so if we've got something that passes our tests will print it out. And then once we're done there were going to call traverse subkeys recursively with the name of the registry, the hive that we're using. So something like Hkey local machine, Hkey current user, et cetera. The sub path that we've created here and in the keywords we're looking for. And so this shows how to perform a keyword search through the Windows registry. So now let's give it a run. So we'll call python regssearch.py. Give it a couple moments and it's starting to print out results. And so already here we're starting to see that we get false positives. This isn't a password not helpful to us. We're seeing things here like this. Not helpful et cetera. Eventually if we search through will actually get a couple of results that we want. So for example here I mentioned that things like putty and in this case when SCP store the location of key files in the Windows registry. So we got a hit here for public key file and the directory where a private key for AWS is stored. Right below it we get another key file for Putty. And so by extracting these, we could just do a simple search for common extensions for key files. And if our results match any of those extensions, we grab the file at that location, it gives us access to that remote computer. A little bit further down. We've got the Vimeeo password that we saw and then just a lot more false positives. And so this approach to finding credentials doesn't guarantee any results and there's a lot of false positives to weed through. However, by searching through the registry we might get lucky and sure either find some passwords or maybe make it easier to find information of interest. So things like these when SCP and Putty key files. Thank you.
