Credential Hunting in Windows

Credential hunting involves systematically searching a compromised Windows system for stored or hardcoded credentials. This technique is highly effective after gaining access to a system, especially high-value targets like an IT administrator's workstation.

Scenario

You've gained RDP access to an IT admin’s Windows 10 workstation. This user is likely involved with network management and system configurations—prime areas where credentials may be stored or cached.

Search-Centric Methodology

Modern systems and applications have built-in search functionality, and you can use this to your advantage to locate saved credentials or notes. Your searches should be informed by:

What would an IT admin do that involves credentials?

This can help you reduce guesswork and increase the efficiency of your hunt.

Key Search Terms

Use these terms in searches via GUI tools or command line utilities:

Passwords       Passphrases       Keys
Username        User account       Creds
Users           Passkeys          Configuration
DBCredential    DBPassword        Login
PWD             Credentials

Tools & Techniques

Using Windows GUI Search

Use the Windows search bar to look for any of the key terms. This may reveal:

Saved credentials in documents
Configuration files
Shortcut links to credential stores

Lazagne

Lazagne is a tool that automates the discovery of stored credentials in:

Web browsers
FTP clients
Email clients
Dev tools, etc.

📥 Execution Example:

C:\Users\bob\Desktop> start lazagne.exe all

Optional: add -vv to show detailed output.

💡 Output Example:

[+] Password found !!!
URL: 10.129.202.51
Login: admin
Password: SteveisReallyCool123
Port: 22

Lazagne can retrieve cleartext passwords from many applications—check LaZagne GitHub Supported Software for the full list.

Using `findstr` on CLI

Search across multiple file types for keywords like "password":

C:\> findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml

This searches all files of specified types, recursively, for the keyword password.

Valuable Locations to Search

Credential remnants may exist across many places, especially on IT admin machines:

Location

Description

SYSVOL shares

Group Policy Preferences may store passwords in XML

IT shares

Scripts with hardcoded credentials

web.config

Dev servers might store DB logins here

unattend.xml

Used during Windows setup, may store plaintext passwords

AD user/computer descriptions

Sometimes include credentials

KeePass databases

Look for .kdbx files; extract & crack master key

Shared drives / user folders

Files like pass.txt, passwords.docx, etc.

Final Thoughts

Always tailor your hunt based on:

System role (e.g., server vs. desktop)
User profile (e.g., IT admin vs. regular user)
Application usage

By understanding how a system is used, you improve your chances of finding critical credentials that aid lateral movement or privilege escalation.

PreviousAttacking Active Directory & NTDS.dit NextLinux Local Password Attacks

Last updated 9 months ago

hashtagScenario

hashtagSearch-Centric Methodology

hashtagKey Search Terms

hashtagTools & Techniques

hashtagUsing Windows GUI Search

hashtagLazagne

hashtagUsing findstr on CLI

hashtagValuable Locations to Search

hashtagFinal Thoughts