Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.It is possible to extract passwords from backups or saved virtual machines through Credential Dumping. (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)
Supported Platforms: macOS
python2 laZagne.py all
Extracting credentials from files
Supported Platforms: macOS, Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| file_path | Path to search | String | / |
grep -ri password #{file_path}
Mimikatz/kittenz - This will require a Mimikatz executable or invoke-mimikittenz ps module.
Supported Platforms: Windows
invoke-mimikittenz
mimikatz.exe
Extracting Credentials from Files
Supported Platforms: Windows
findstr /si pass *.xml | *.doc | *.txt | *.xls
ls -R | select-string -Pattern password
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
Supported Platforms: Windows
cmd /c type C:\Windows\Panther\unattend.xml > nul 2>&1
cmd /c type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1