credentials

This tab provides a clear, structured way to keep track of what you’ve captured from each target. Instead of digging through terminal output, Starkiller brings everything into one place—making it easy to review, reuse, or export credentials for later.

The data shown typically includes the username, the password or hash, and the host it was pulled from. It might also indicate the type of credential: whether it's a plaintext password, an NTLM hash, a Kerberos ticket, or a DPAPI blob.

Once credentials are collected here, they become incredibly useful for post-exploitation. You can take a captured password and try it on another machine in the same network. You might find that a local admin account has the same password reused across hosts, which opens the door to lateral movement. Starkiller makes this process seamless by letting you simply copy a credential and use it directly in a lateral movement module, like psexec, invoke_wmi, or winrm.

It also supports exporting credentials for use in external cracking tools. You can grab hashes and throw them into John the Ripper, Hashcat, or even reuse them with CrackMapExec for password spraying.

The best part? You don’t need to manually log or organize any of this. As long as you're using Empire correctly and your modules are running successfully, everything lands right in this tab for easy access.

That said, be mindful of OPSEC when using credential harvesting tools. Pulling from LSASS memory, for example, is noisy and can trigger AV if you're not careful. Use obfuscation, choose your timing, and always clean up when you're done.

In short, the Credentials tab is one of Starkiller’s most powerful features. It’s the control center for tracking everything you’ve stolen, planning your next move, and executing deeper intrusions with precision and speed.