Credential access is the engine of lateral movement: harvest a password, hash, or ticket on one host, reuse it on the next. This section breaks the Windows credential stores (SAM, DPAPI, LSA secrets, cached domain credentials, Credential Manager), the Linux and network angles (/etc/shadow, LLMNR poisoning), and cracking (Hashcat, John) into plain-language explainers, each ending with how a penetration test finds the exposure in your environment.
Topics
- What is Credential Access?: how attackers harvest the passwords, hashes, and tickets that move them across a network.
- What is Credential Dumping?: extracting stored credentials from memory, the registry, and disk.
Key terms explained
Plain-language definitions of the credential stores and techniques behind credential theft. Each page covers what it is, the attack, the payload, and how to defend.
Windows credential stores
- What is the SAM database?
- What is DPAPI?
- What are LSA secrets?
- What are cached domain credentials?
- What is Windows Credential Manager?
- What is a Volume Shadow Copy attack?
- What is an NT hash?
- What is browser credential theft?
Linux, network and cracking
- What is /etc/shadow?
- What is LLMNR poisoning?
- What is Hashcat?
- What is John the Ripper?
- What are unsecured credentials?
Related (Active Directory)
How to read this section
The pages follow how an attacker collects credentials and reuses them.
- Foundations first: credential access and credential dumping.
- Windows credential stores: where Windows keeps secrets (SAM, DPAPI, LSA secrets, cached domain credentials, Credential Manager) and how each is extracted, plus the NT hash format and shadow-copy theft.
- Linux, network and cracking: /etc/shadow, capturing hashes on the wire with LLMNR poisoning, and cracking them with Hashcat and John.
- Related: the Active Directory credential pages (LSASS, Mimikatz, Pass-the-Hash, DCSync) that pair with this section.
Each explainer ends with how a penetration test confirms the exposure in your own environment.