# Introduction - Credential hunting is the process of performing detailed searches across the file system and through various applications to discover credentials - Windows machines have GUI and CLI tools that can be leveraged to this end - Key terms to search for: - Passwords - Passphrases - Keys - Username - User account - Creds - Users - Passkeys - configuration - dbcredential - dbpassword - pwd - Login - Credentials - Places we should keep in mind when credential hunting: - Passwords in Group Policy in the SYSVOL share - Passwords in scripts in the SYSVOL share - Password in scripts on IT shares - Passwords in `web.config` files on dev machines and IT shares - Password in `unattend.xml` - Passwords in the AD user or computer description fields - KeePass databases (if we are able to guess or crack the master password) - Found on user systems and shares - Files with names like `pass.txt`, `passwords.docx`, `passwords.xlsx` found on user systems, shares, and [Sharepoint](https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration) - Windows tools: - Windows built-in GUI search - `documents: password` - `findstr` at CLI - Lazange - Locations/method may be different for Windows Server vs. Windows Desktop ```cmd #search "password" pattern across different file types; use different patterns C:\> findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml ``` - Web browsers are some of the most interesting places to search for credentials, due to the fact that many of them offer built-in credential storage - There are many tools for decrypting the various cred DBs associated with web browsers, such as [firefox_decrypt](https://github.com/unode/firefox_decrypt) and [decrypt-chrome-passwords](https://github.com/ohyicong/decrypt-chrome-passwords) - `LaZagne` supports 35 different browsers on Windows # Using Lazange - `LaZagne` is made up of modules which each target different VW when looking for passwords - Common modules: |Module|Description| |---|---| |browsers|Extracts passwords from various browsers including Chromium, Firefox, Microsoft Edge, and Opera| |chats|Extracts passwords from various chat applications including Skype| |mails|Searches through mailboxes for passwords including Outlook and Thunderbird| |memory|Dumps passwords from memory, targeting KeePass and LSASS| |sysadmin|Extracts passwords from the configuration files of various sysadmin tools like OpenVPN and WinSCP| |windows|Extracts Windows-specific credentials targeting LSA secrets, Credential Manager, and more| |wifi|Dumps WiFi credentials| - Very beneficial to keep a [standalone copy](https://github.com/AlessandroZ/LaZagne/releases/) of `LaZagne` on our Kali host so we can quickly transfer it over to the target - `LaZagne.exe` works well - see /opt on Kali host ![[images/Pasted image 20251009075336.png]] - Once we have `LaZagne.exe` on the target machine, navigate to its location and execute with `all` modules option: ```cmd C:\Windows\temp> start lazange.exe all ``` ![[images/Pasted image 20251009075742.png]]