NAS/QNAP question!

[RocketRacoon]

Hello guys, im here looking for some knowlodge hope you can help me

Lets say we owned a network/domain have access to all workstation etc, but the tricky part in my case is the storage drives (nas, qnap etc)

I have found most of them are in WORKGROUP and not in the domain, sometimes you can find the passwords in browsers,txt etc

What you come around this, I mean if you dont have the passwords there is other way to attack it? bruteforce its seems not to work and domain password usually dont work aswell!

Also, there is any other way to take ownership of those drives!

Hopefully you can understand what im trying to say, thanks!

 

[fakeid]

If you don't have certain credentials and can't get into nas , esxi ...
You can try pulling the data-base config from your browser. They're at \c$\Users\admin-it\AppData\Local\Google\Chrome\User Data\Default.
You need the Login_data file.
1.Download DB Browser (SQLite)
2.Open this utility
3.Look at the saved passwords, they are encrypted
4. Change the user's password.

gl

 

[DimmuBurgor]

If you don't have certain credentials and can't get into nas , esxi ...
You can try pulling the data-base config from your browser. They're at \c$\Users\admin-it\AppData\Local\Google\Chrome\User Data\Default.
You need the Login_data file.
1.Download DB Browser (SQLite)
2.Open this utility
3.Look at the saved passwords, they are encrypted
4. Change the user's password.

gl

Would it not be easier to chrome://passwords?

 

[fakeid]

Would it not be easier to chrome://passwords?

this is used if you do not have the account password, but have domain admin access)

 

[RocketRacoon]

If you don't have certain credentials and can't get into nas , esxi ...
You can try pulling the data-base config from your browser. They're at \c$\Users\admin-it\AppData\Local\Google\Chrome\User Data\Default.
You need the Login_data file.
1.Download DB Browser (SQLite)
2.Open this utility
3.Look at the saved passwords, they are encrypted
4. Change the user's password.

gl

I dont think this can be an option, thanks anyway for taking time to answer, appreciated!

Would it not be easier to chrome://passwords?

I use an app that recover all saved passwords, from browsers, ftp clients etc, but only if the password has been previously saved, if not im f*cked, Thanks for your time!

 

[DimmuBurgor]

I dont think this can be an option, thanks anyway for taking time to answer, appreciated!

I use an app that recover all saved passwords, from browsers, ftp clients etc, but only if the password has been previously saved, if not im f*cked, Thanks for your time

Right. I was just saying that it'd be easier to view the passwords in chrome locally than manually grabbing login data from the user profile path, parsing, and etc.
Anyways, is your access mstsc or is it through msp rms? Even if it is the former, you should look for presence of the latter. If you can't find corp vpn creds maybe they are using hamachi for example. Maybe there's tunneling with AD. Check onmiscrosoft management. Can you tell if the baks are onsite? If not, what can of hosting platform is it on. Bandwidth, stress resistance? What kind of fuzzing can you do, find deprecated firmware for example. Was there nothing to gather from internal dialogue between employees? If there's not teams, or slack, check for twist, element, webex, etc.