Welcome back to IT Audit Labs’ series on password security. In Part 2, we covered phishing—the art of tricking users into revealing credentials. Today, we’ll explore additional attack techniques that threat actors use to harvest passwords and personal data, and discuss how modern trends like remote work, cloud adoption, and zero trust architecture can help defend against them.
1. Device Implants and Lateral Pivoting
Threat actors often seek a foothold inside your network before moving laterally. Two common approaches are:
- Physical device implants
Attackers with brief physical access can plug in a covert microcomputer (for example, a Raspberry Pi or custom hardware) into a network port. Once online, it can run remote-access tools, perform reconnaissance, and harvest credentials without raising alarms. - Pivoting from a previous breach
A successful phishing campaign or leaked credentials from a personal account can give attackers initial access. From there, they use the compromised account to deploy internal tools, scan for valuable resources, and escalate privileges.
In today’s age of hybrid work and Bring Your Own Device (BYOD), maintaining strict access controls and monitoring network endpoints is more important than ever. Implement network segmentation and enforce zero trust principles so that even if one device is compromised, attackers cannot freely traverse the environment.
2. The Danger of Password Reuse
In Part 1, we warned about reusing passwords across personal and corporate accounts. Attackers routinely take credential pairs from a breached consumer site and attempt to log in to corporate email, VPN portals, or cloud services. As your employees juggle dozens of logins, enforcing a password manager and multi-factor authentication (MFA) reduces the risk that a CandyCrush compromise becomes a gateway to your internal systems.
3. Hunting in Open SMB Shares
Windows environments rely on Server Message Block (SMB) shares for collaboration. Unfortunately, many teams store spreadsheets, text files, or documents labeled “passwords,” “credentials,” or “accounts” in clear text. According to PassCamp, nearly 40 percent of organizations still keep passwords in unencrypted files.
A typical attack flow:
- Attacker runs a tool like SMBMap using the stolen account’s privileges
- They enumerate all accessible shares and search file names for common keywords
- Any clear-text credentials found allow immediate lateral movement and privilege escalation
Defenses
- Enforce least-privilege access on file shares
- Encrypt sensitive data at rest and in transit
- Audit share permissions and automatically alert on suspicious file names
4. Responder: LLMNR and mDNS Poisoning
Responder is an open-source tool that poisons Link-Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBT-NS), and mDNS traffic. By impersonating legitimate servers, Responder captures NTLM password hashes during routine authentication.
How it works
- User “John” navigates to a protected share
- Windows sends John’s hashed password to the file server to verify identity
- Responder intercepts that request, fools John’s machine, and logs the hash before forwarding the traffic to the real server
No disruption, no alerts—just silent credential harvesting. Modern networks should restrict LLMNR and mDNS to trusted devices and monitor for unauthorized servers on the LAN.
5. Kerberoasting: Cracking Service Account Hashes
Kerberos is the backbone of Windows authentication. Service accounts—used by applications to run services—request Ticket Granting Service (TGS) tickets, which contain encrypted password hashes. Attackers can:
- Use tools like Rubeus or PowerShell Empire to request TGS tickets for service accounts
- Extract the encrypted hashes from Active Directory
- Crack them offline with Hashcat or John the Ripper
If a service account has weak credentials and high privileges, cracking its password grants attackers a powerful foothold for privilege escalation. Enforce complex, regularly rotated passwords on service accounts and limit their scope to only necessary servers.
6. Local Password Stores and Memory Scraping
- Linux
/etc/shadowand/etc/passwd
Compromised or privileged Linux hosts may expose hashed passwords. Attackers steal and crack those hashes offline. - Windows
ntds.ditdatabase
On domain controllers,ntds.ditstores Active Directory hashes for all users. With administrative access, threat actors dump the database and work on cracking in their own time. - Memory scraping (e.g., Mimikatz, PowerMemory)
Some tools bypass hash dumping by extracting clear-text credentials directly from system memory. This technique allows attackers to harvest live credentials for lateral movement or persistence.
Limiting local administrator rights, deploying endpoint detection and response (EDR), and regularly monitoring memory-scraping indicators are critical defenses.
What’s Next?
If you want help strengthening your organization’s password security, contact IT Audit Labs today.
