Watch where you point that cred! Part 1

This report outlines how attackers can passively harvest privileged credentials from automated tasks and credentialed vulnerability scans by standing up rogue SSH/SMB services within internal networks, enabling NTLM hash capture and relay when controls like host key verification and SMB signing are weak or disabled. It walks through practical demonstrations using Cowrie, impacket, Responder, and Inveigh, highlights the risks posed by broad scan scopes and highly privileged service accounts, and provides concrete mitigations such as least privilege, agent/certificate-based authentication, NAC, SMB signing, asset and host monitoring, network egress controls, and the strategic use of honeypots.