Credential Harvesting and Password Attacks

Credential Harvesting and Password Attacks

Memory credential extraction reveals cleartext passwords, hashes, and tokens from running processes. While Mimikatz faces OSCP restrictions, understanding memory analysis concepts remains valuable. Alternative tools like ProcDump combined with offline analysis achieve similar results. Focus on concepts rather than specific tools, as principles apply across various implementations.

Password hash extraction from SAM, SYSTEM, and SECURITY registry hives enables offline cracking. Volume Shadow Copy access bypasses file locks on running systems. Backup privileges often permit reading these protected files. Extracted hashes crack quickly for weak passwords, with tools like Hashcat achieving billions of attempts per second on modern hardware.

Credential hunting through file systems frequently yields passwords in cleartext. Common locations include configuration files, scripts, scheduled task XML files, and IIS application pools. Unattended installation files, group policy preferences, and SYSVOL shares historically contained passwords. Develop systematic approaches to credential searching, as exposed passwords provide easier escalation than technical exploits.

Keylogging and clipboard monitoring capture credentials during active use. While requiring existing compromise, these techniques gather credentials for escalation or lateral movement. Simple PowerShell scripts implement basic keyloggers, while advanced tools provide screenshot capture and clipboard monitoring. Deploy judiciously to avoid detection while maximizing credential capture.