Credential Hunting is the process of performing detailed searches across the file system and through various applications to discover credentials.
In this case, we know we have access to an IT admin's workstation.
What might an IT admin be doing on a day-to-day basis & which of those tasks may require credentials?
We can use this question & consideration to refine our search to reduce the need for random guessing as much as possible.
Whether we end up with access to the GUI or CLI, we know we will have some tools to use for searching but of equal importance is what exactly we are searching for.
Some helpful key terms to discover creds are:
| Passwords | Passphrases | Keys |
|---|---|---|
| Username | User account | Creds |
| Users | Passkeys | Passphrases |
| configuration | dbcredential | dbpassword |
| pwd | Login | Credentials |
With access to the GUI, it is worth attempting to use Windows Search to find files on the target using some of the keywords mentioned above.
We can also take advantage of third-party tools like Lazagne to quickly discover credentials that web browsers or other installed applications may insecurely store.
It would be beneficial to keep a standalone copy of Lazagne on our attack host so we can quickly transfer it over to the target.
In Powershell:
start lazagne.exe all
This will execute Lazagne and run all included modules. We can include the option -vv to study what it is doing in the background.