Obtain password hashes, encrypted passwords, or credential databases through exploitation, file system access, or network interception. Alternatively, prepare for online attacks if no hashes are available.