When a machine is already under an attacker’s control, the question quickly shifts from _“Can I run code?”_ to _“Where are the keys to everything else?”_ Pentest Copilot addresses this by chaining intelligent data-extraction tasks that transform a single foothold into a full-blown information windfall. A part of pentest copilot illustrates exactly how this happens: once an agent is present on a compromised host, the module sweeps the system, organizes anything it uncovers, and records it as graph-ready entities for immediate pivoting.
The submodule begins by validating the compromised host and the agent ID supplied as metadata.
From there, it quietly launches a coordinated collection process: reading environment variables, scouring browser credential stores, harvesting SSH keys, and parsing shell history, all at the same time.
Commands from user histories are automatically chunked and passed through a language model that pinpoints potential secrets and identifiers.
Finally, every discovery is normalized into a Secret entity—complete with provenance and confidence scoring—so that follow-on modules can use the data without additional parsing.
Secrets hide in more places than most administrators imagine, and Pentest Copilot treats the operating system like an open-plan building with many unlocked rooms.
Browser credential vaults are a natural first stop. Modern browsers encrypt saved usernames, passwords, cookies, and even autofill payment data, but the encryption keys are protected only by the logged-in user’s context.
With that context already available to the deployed agent, Copilot can read profile databases directly and extract cleartext logins or session cookies that open the door to cloud dashboards and internal web apps.
The system environment often yields an even more direct path to high-value targets.
Developers and automation scripts frequently export cloud credentials—AWS access keys, API tokens, database connection strings—for convenience.
These variables live in memory for every process and can be enumerated without tripping alarms, giving an attacker exactly what’s needed to pivot into cloud infrastructure or CI/CD pipelines.
Command histories are another quiet leak.
Every typo, every quick one-liner with an inline password or bearer token, sits in a shell log waiting to be rediscovered.
By dissecting these histories and applying a strict classification model, Copilot surfaces genuine secrets—API keys, private keys, database passwords—while discarding empty noise, producing a clean set of actionable findings.
Finally, user-space files such as spreadsheets, text documents, and configuration snippets can be treasure troves.
A forgotten .env file on the desktop, an exported database backup, or an old Excel sheet with “temporary” credentials can all become stepping stones for lateral movement.
The module reads these locations safely and captures only the minimum data needed to verify and reuse the secrets, preserving context like file paths and timestamps.
Together these techniques form a seamless sweep of the host: browsers reveal stored logins, the environment leaks cloud access, command histories replay administrator mistakes, and everyday files round out the picture.
Armed with these graph-ready secrets, an authorized red-team operator can pivot quickly:
enumerating cloud resources, testing lateral movement with stolen SSH keys, or simulating insider misuse of browser-stored credentials.
The same data is equally valuable for blue teams performing incident-response simulations or validating how quickly their environment detects and revokes leaked keys.
Pentest Copilot automatically exposes sensitive credentials on a compromised machine.
Target: Windows Server 2019 joined to the north.sevenkingdoms.local domain.
Key highlights in the video:
• IP Address, Hostname, and OS Version of the compromised machine.
• System environment variables displaying three AWS Access keys.
• Execution of Pentest Copilot with the Host entity (192.168.56.11) and the associated Agent ID as input.
• Creation of a Secret entity capturing the AWS_ACCESS_KEY_ID with its associated identifier and secret.
The POC underscores just how many hiding places a modern operating system offers:
.env files on desktops or in documents folders are parsed for API keys, database passwords, and other sensitive values.Each discovery is normalized into a Secret entity with provenance and confidence scoring, ensuring that follow-on modules can immediately act on the data.
The lesson for defenders is clear: never rely on “out of sight, out of mind.”
Move credentials out of environment variables and into secure vaults, disable browser password storage for administrative users, and regularly audit user directories and shell histories.
Even the smallest oversight can give an attacker the leverage to compromise far more than a single machine.
Does Pentest Copilot need full administrator rights?
Not necessarily. It requires enough permission to read user-level data; elevated privileges simply widen the scope.
How are secrets preserved once found?
Each is stored as a Secret entity inside Pentest Copilot’s exploit graph with clear provenance, so future modules can use it safely and traceably.
Is anything altered on the target system?
No. The process is read-only and designed to leave no operational footprint beyond standard agent activity.
Which credentials are most often exposed?
Common examples include cloud access keys, API tokens, database connection strings, and web-session cookies.
What’s the best defense?
Use a dedicated secrets manager, rotate credentials frequently, monitor for unexpected agent activity, and audit for stray keys in both user directories and environment variables.
The EXP_STEAL_DATA submodule shows how Pentest Copilot turns a single compromised host into a map of valuable credentials.
By methodically collecting and classifying data from browsers, environment variables, shell history, and user files—and condensing it into well-structured Secret entities—it enables rapid, automated pivots for authorized penetration testing while providing defenders with a concrete blueprint for hardening their systems.