Credential Hunting

Key Terms to Search
Passwords Passphrases Keys
Username User account Creds
Users Passkeys Passphrases
configuration dbcredential dbpassword
pwd Login Credentials

Search Tools

We can also take advantage of tools like Lazagne to quickly discover credentials that web browsers or other installed applications may insecurely store.

C:\Users\bob\Desktop> start lazagne.exe all

Lazagne Output

|====================================================================|
|                                                                    |
|                        The LaZagne Project                         |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|====================================================================|


########## User: bob ##########

------------------- Winscp passwords -----------------

[+] Password found !!!
URL: 10.129.202.51
Login: admin
Password: SteveisReallyCool123
Port: 22

findstr to search from patterns across many types of files. Keeping in mind common key terms, we can use variations of this command to discover credentials on a Windows target:

C:\> findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml

Additional Considerations

There are thousands of tools & key terms we could use to hunt for credentials on Windows operating systems. Know that which ones we choose to use will be primarily based on the function of the computer. If we land on a Windows Server OS, we may use a different approach than if we land on a Windows Desktop OS. Always be mindful of how the system is being used, and this will help us know where to look. Sometimes we may even be able to find credentials by navigating and listing directories on the file system as our tools run.

Here are some other places we should keep in mind when credential hunting:

  • Passwords in Group Policy in the SYSVOL share
  • Passwords in scripts in the SYSVOL share
  • Password in scripts on IT shares
  • Passwords in web.config files on dev machines and IT shares
  • unattend.xml
  • Passwords in the AD user or computer description fields
  • KeePass databases --> pull hash, crack and get loads of access.
  • Found on user systems and shares
  • Files such as pass.txt, passwords.docx, passwords.xlsx found on user systems, shares, Sharepoint