What Is Credential Harvesting? How Attackers Capture Passwords
Credential harvesting is exactly what it sounds like: collecting login credentials - usernames, passwords, tokens, session cookies - in bulk. It is one of the most common objectives in modern attacks, because valid credentials unlock almost everything else. You do not need to find a zero-day if you have the CFO's password.
graph TD
subgraph SETUP["Attack Setup Phase"]
A1["Attacker configures
rogue access point"] --> A2["Evil portal page
mimics hotel/corp WiFi login"]
A2 --> A3["DNS/DHCP configured to
redirect all HTTP traffic"]
end
subgraph EXEC["Execution Phase"]
B1["Victim sees familiar
WiFi network name"] --> B2["Auto-connects or
manually joins"]
B2 --> B3["HTTP request triggers
captive portal redirect"]
B3 --> B4["Victim sees login page
matching expected branding"]
B4 --> B5{"Victim enters
credentials?"}
B5 -->|Yes| B6["Form POST sends
credentials to attacker"]
B5 -->|No - suspicious| B7["Victim disconnects
attack fails"]
end
subgraph POST["Post-Capture"]
B6 --> C1["Credentials stored
as JSON on device"]
C1 --> C2["Redirect victim to
real login page"]
C2 --> C3["Victim assumes
minor WiFi glitch"]
C1 --> C4["Attacker tests credentials
against target services"]
C4 --> C5["Credential stuffing
across multiple sites"]
end
SETUP --> EXEC
EXEC --> POST
Rogue AP credential harvesting - from setup through capture to post-exploitation. The BLEShark Nano evil portal feature replicates this flow for authorized red team exercises.
What credential harvesting actually is
The term covers a range of techniques, but the goal is the same: get credentials into the attacker's hands in a form they can use. That might mean a cleartext password, a password hash, a session token, an OAuth code, or an API key.
Credential harvesting is almost always a means to an end. Stealing valid credentials is usually the fastest path to a system, data, or money. This is why phishing remains the number one initial access vector year after year - it works because it bypasses technical controls entirely and targets the human.
Fake login pages and phishing portals
The most common method. The attacker creates a page that looks like a legitimate login form. The victim enters credentials. The page submits them to the attacker's server and redirects the victim to the real site, so they assume they just had a glitch.
Two main delivery contexts:
Email phishing: A link in an email takes the victim to the fake page. Enterprise security filters catch many, but not targeted spear-phishing using personal details.
Rogue access point with a captive portal: The attacker broadcasts a WiFi network. Anyone who connects gets redirected to a login page. In a hotel, airport, or conference venue, users expect to see a captive portal. The BLEShark Nano has a built-in evil portal mode for authorized red team exercises - it captures form submissions as JSON, with deliberate safety restrictions. All submissions stay on-device until deleted.
The evil portal feature on BLEShark Nano is intended for authorized security testing only. Using it against networks or individuals without permission is illegal in most jurisdictions.
Keyloggers and HID-based capture
A keylogger captures what someone types. Software keyloggers hook into the OS keyboard input stack. Hardware keyloggers sit between the keyboard and computer.
HID injection is a related technique - a device that presents itself as a USB or Bluetooth keyboard to the OS can type commands directly without the user's knowledge. The BLEShark Nano's Bad-BT feature operates over Bluetooth HID, executing DuckyScript payloads on the target machine. In authorized testing, this simulates what happens if an attacker gains brief physical proximity to an unlocked laptop.
Token theft and session hijacking
Modern web applications issue session tokens after login. If an attacker steals your session token, they don't need your password. Token theft happens via XSS, network interception via rogue APs, malware, or physical access with a brief HID payload exfiltrating tokens from browser storage.
Credential stuffing and password spraying
Credential stuffing: Use leaked username/password pairs from one breach against another service. Works because a significant percentage of people reuse passwords.
Password spraying: Try a small number of common passwords against a large number of accounts. Avoids triggering lockout policies.
graph TD
START["Credential Harvesting
Defense Strategy"] --> Q1{"What type of
credentials?"}
Q1 -->|"Passwords"| MFA["Deploy MFA"]
Q1 -->|"Session tokens"| TOKEN["Token hardening"]
Q1 -->|"API keys"| VAULT["Secrets management"]
MFA --> MFA_TYPE{"MFA method?"}
MFA_TYPE -->|"Best"| FIDO["FIDO2 / WebAuthn
Hardware keys
Phishing-proof"]
MFA_TYPE -->|"Good"| TOTP["TOTP Authenticator
App-based codes"]
MFA_TYPE -->|"Weak"| SMS["SMS OTP
Vulnerable to SIM swap"]
TOKEN --> T1["Short-lived tokens"]
TOKEN --> T2["Bind to IP/fingerprint"]
TOKEN --> T3["Secure cookie flags
HttpOnly, Secure, SameSite"]
VAULT --> V1["Rotate on schedule"]
VAULT --> V2["Least-privilege scopes"]
VAULT --> V3["Audit access logs"]
FIDO --> TRAIN["Security awareness training
+ simulated phishing"]
TOTP --> TRAIN
T1 --> MONITOR["Monitor for anomalous
login patterns"]
V1 --> MONITOR
style FIDO fill:#1a3a1a,stroke:#44ff44,color:#66ff66
style SMS fill:#3a1a1a,stroke:#ff4444,color:#ff6666
Credential harvesting defense decision tree - choose protections based on credential type, with FIDO2 hardware keys as the strongest anti-phishing measure.
Defense strategies that actually work
Multi-factor authentication (MFA): Even if an attacker captures a password, they can't log in without the second factor. FIDO2/WebAuthn hardware security keys are the most phishing-resistant option - bound to the origin domain, so a fake login page cannot capture a valid FIDO2 assertion.
Security awareness training with simulation: Regular phishing simulations, including portal-based ones, train users to recognize the attack. BLEShark evil portal exercises: demonstrate the attack in a controlled setting, debrief, measure improvement over time.
Password managers and unique passwords: Unique passwords per service eliminate credential stuffing as a cross-service threat.