Credentials Harvesting TryHackMe

Overview

This room focuses on harvesting credentials from an internal foothold. It covers where credentials live on Windows systems and in AD environments, how to extract them from local files, registry, SAM, LSASS memory, and related stores, and why credential access is a key step for lateral movement and impersonation.

Core idea: once you have system access, credentials become one of the highest-value targets because they let you move, blend in, and escalate without relying only on exploits.

1) What Credentials Harvesting Is

Credentials harvesting is the process of obtaining usernames, passwords, hashes, tickets, or any authentication material that can be reused.

usernames and passwords,
NTLM and related hashes,
Kerberos tickets such as TGTs and TGSs,
private keys and other login-enabling secrets.

Legitimate credentials are especially useful because they support quieter lateral movement and make attacker behaviour harder to distinguish from real users.

2) Common Credential Locations

The room highlights several places where credentials may appear inside a compromised environment:

clear-text files,
local database files,
password managers,
memory,
Active Directory,
captured network authentication traffic.

Practical takeaway: credential access is not one technique, it is a collection of many collection points across disk, registry, memory, and the network.

3) Clear-Text Files and Registry Hunting

Some of the fastest wins come from careless storage.

PowerShell history files can leak commands and passwords.
Configuration files may hold credentials for web apps, FTP, and internal services.
Backup files and shared folders often contain older but still valid secrets.
Registry searches for terms like password can surface insecure storage.

These techniques are low-noise and should usually be checked before memory dumping.

4) Password Managers and Application Stores

Password managers and saved application credentials are another strong source of secrets.

Windows built-in credential storage
browser password stores
third-party products such as KeePass, LastPass, 1Password

Misconfiguration, weak protection, or local compromise can expose these stores to an attacker.

5) Local Accounts and the SAM Database

Windows stores local account information in the Security Account Manager (SAM) database.

The live SAM file cannot simply be copied while Windows is using it.
Metasploit hashdump can dump hashes in memory.
Offline extraction is possible if you get both the SAM and SYSTEM material needed for decryption.

This is one of the classic starting points for local credential dumping.

6) Volume Shadow Copy and Registry Hive Dumps

The room demonstrates two native ways to extract the files needed for local hash recovery.

Volume Shadow Copy: create a shadow copy, then copy sam and system from it.
Registry hives: use reg save to export HKLM\sam and HKLM\system.

Once transferred off-host, tools like secretsdump.py can decrypt and extract local hashes.

7) LSASS Memory

LSASS is one of the highest-value processes on a Windows system because it handles authentication material.

It may contain clear-text credentials.
It may contain cached hashes.
It may contain Kerberos tickets and session data.

Why it matters: dumping LSASS can provide far more than local SAM hashes because it captures active authentication context rather than only static local account storage.

8) Dumping LSASS

The room shows multiple ways to capture LSASS memory for offline or direct analysis.

Task Manager: create a dump file from the GUI.
ProcDump: use Sysinternals to dump the process from command line.
Mimikatz: access LSASS data directly with elevated rights.

Because this is a well-known technique, defensive products often monitor or block it, so expect real-world friction here.

9) Mimikatz and Live Credential Extraction

Mimikatz is a central post-exploitation tool for Windows credential access.

privilege::debug enables required access.
sekurlsa::logonpasswords can extract live credential material from LSASS.
The output may include NTLM hashes, SHA1 values, and sometimes clear-text secrets depending on the session state.

This is one of the most direct ways to move from local admin access into reusable credential material.

10) AD and Network-Based Credential Sources

The room also reminds you that not all credential harvesting is purely local.

AD misconfigurations such as exposed descriptions or weak SYSVOL-related secrets can leak credentials.
NTDS is a major objective on domain controllers.
Network sniffing and man-in-the-middle attacks can capture NTLM or similar authentication material.

Exam Notes (PT1)

Credentials can be harvested from files, registry, password stores, memory, AD, and the network.
The SAM database contains local account data; extracting it requires SAM plus SYSTEM material for decryption.
Volume Shadow Copy and reg save are useful native paths for collecting SAM/SYSTEM offline.
LSASS is one of the most valuable credential targets because it may contain clear-text credentials, hashes, and tickets.
Mimikatz, ProcDump, Metasploit hashdump, and Impacket secretsdump.py are the main tools to remember from this room.