# Look for Credentials

Finding creds is a key way to gain a foothold. Default passwords are common in many environments. If the target uses a CMS, sharplookup config files for whatever CMS is in use and scan for credentials. Sometimes shell histories and backups contain of creds.

NOTE: If you find credentials try them everywhere!

# windows

Registry backups:

 c:\windows\system32\config\RegBack

Powershell history

type C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\Console Host_history.txt

# LFI (Local File inclusion)

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion

# Hashcat

Hashcat

# Procdump

procdump.exe

# sharpdump

You can sharpdump lsass (mimikatz is radioactive) https://github.com/GhostPack/SharpDump

# pypykatz

You can transfer a lsass dump to a machine you control and dump creds with pypykatz: https://github.com/skelsec/pypykatz

pypykatz lsa minidump debug788.bin

# Seclists

Big repository of passwords to use when bruteforcing: https://github.com/danielmiessler/SecLists.git

# Firefox passwords

you can use firefox_decrypt and point it to the directory where profiles.ini lives.

git clone https://github.com/unode/firefox_decrypt
./firefox_decrypt.py ../home/carlJ/.mozilla/firefox/