> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-authentication-process/credential-hunting-in-windows.md).

# Credential Hunting in Windows

### What is Credential Hunting?

Credential hunting is the process of performing detailed searches across the file system and through installed applications on a compromised Windows host to discover stored credentials. The goal is to find credentials that expand your access — to other systems, services, or higher privilege accounts.

**Key mindset:** Base your search on *how the machine is being used*. An IT admin's workstation will have very different credential stores than a developer's machine or a file server.

***

### Key Terms to Search For

Use these as search strings across files, configs, and the registry:

```
password        passphrase      pwd
keys            username        user account
creds           users           passkeys
login           credentials     configuration
dbcredential    dbpassword
```

***

### Method 1 — Windows Search (GUI)

If you have GUI access (e.g. via RDP), use the Windows Search bar with the key terms above. By default it searches OS settings, installed apps, and the file system.

Quick and noisy but useful for a first pass.

***

### Method 2 — LaZagne (Automated Credential Extraction)

**LaZagne** is a post-exploitation tool that extracts credentials stored insecurely by a wide range of applications. It supports 35+ browsers on Windows and covers sysadmin tools, chat apps, mail clients, and more.

Transfer `LaZagne.exe` to the target (copy/paste via xfreerdp RDP session, or any file transfer method), then run:

```cmd
start LaZagne.exe all
```

Add `-vv` to see verbose output of what it's checking:

```cmd
start LaZagne.exe all -vv
```

#### LaZagne Modules

| Module     | What It Targets                              |
| ---------- | -------------------------------------------- |
| `browsers` | Chrome, Firefox, Edge, Opera — stored logins |
| `chats`    | Skype and other chat apps                    |
| `mails`    | Outlook, Thunderbird mailboxes               |
| `memory`   | KeePass databases, LSASS                     |
| `sysadmin` | OpenVPN, WinSCP config files                 |
| `windows`  | LSA secrets, Credential Manager              |
| `wifi`     | Saved Wi-Fi credentials                      |

**Example output:**

```
------------------- Winscp passwords -----------------
[+] Password found !!!
URL: 10.129.202.51
Login: admin
Password: SteveisReallyCool123
Port: 22
```

> Web browsers and sysadmin tools (WinSCP, PuTTY, etc.) are the most common sources of cleartext credentials. Many apps store credentials with weak or no encryption.

***

### Method 3 — findstr (CLI Search)

`findstr` is the Windows equivalent of `grep`. Use it to search for credential-related strings across multiple file types at once:

```cmd
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml
```

**Flag breakdown:**

* `/S` — search recursively through subdirectories
* `/I` — case-insensitive
* `/M` — print only the filename (not every matching line)
* `/C:"password"` — literal string to search for

Run multiple times with different key terms (`creds`, `pwd`, `username`, etc.).

***

### High-Value Locations to Check Manually

Beyond automated tools, these specific locations frequently contain credentials:

| Location                            | What to Look For                                                                        |
| ----------------------------------- | --------------------------------------------------------------------------------------- |
| `SYSVOL` share (`\\domain\SYSVOL`)  | Group Policy Preferences (GPP) with embedded passwords, login scripts                   |
| IT/Admin network shares             | Scripts, config files, deployment packages                                              |
| `C:\inetpub\` or dev shares         | `web.config` files with DB connection strings                                           |
| `C:\Windows\Panther\unattend.xml`   | Unattended install files — often contain local admin passwords in base64                |
| AD user/computer description fields | Admins sometimes store passwords in the Description field (visible to all domain users) |
| KeePass `.kdbx` files               | If you can find and crack/guess the master password                                     |
| User desktops, Documents, Downloads | Files named `pass.txt`, `passwords.docx`, `passwords.xlsx`, `creds.txt`                 |
| SharePoint / internal wikis         | Search for the same key terms                                                           |

***

### Adapt Based on System Role

| System Type          | Focus Areas                                                     |
| -------------------- | --------------------------------------------------------------- |
| IT Admin workstation | WinSCP, PuTTY, RDP saved creds, browser passwords, scripts      |
| Developer machine    | `web.config`, `.env` files, git repos, IDE credential stores    |
| Windows Server       | Service account configs, scheduled task credentials, IIS config |
| Domain Controller    | SYSVOL scripts, GPP files, AD description fields                |

***

### Key Points

* **Always run LaZagne first** on a Windows foothold — it covers the most ground automatically and often returns cleartext credentials immediately.
* **findstr is your manual grep** — combine it with multiple key terms and file extensions for thorough coverage.
* **`unattend.xml`** is a classic finding. Located at `C:\Windows\Panther\unattend.xml` — base64-encoded passwords are common there and trivially decoded.
* **GPP passwords in SYSVOL** — Group Policy Preferences used to support embedding credentials (pre-MS14-025). These are AES-256 encrypted but Microsoft published the key, so they're trivially decrypted. Look for `Groups.xml`, `ScheduledTasks.xml`, `Services.xml` in SYSVOL.
* **AD description fields** — run `Get-ADUser -Filter * -Properties Description | Select Name, Description` to sweep the entire domain at once.
* **Browser credentials** are encrypted but tools exist to decrypt them (`firefox_decrypt`, `decrypt-chrome-passwords`). LaZagne handles most of these automatically.
* **Think about the user's role.** An IT admin's workstation is more valuable than a regular user's precisely because they interact with more systems and therefore have more credentials cached.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-authentication-process/credential-hunting-in-windows.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
