Attackers are harvesting credentials from compromised systems. Here’s how some commonly used tools can enable this.