Attacking Windows Credential Manager
Windows Vault and Credential Manager
Credential Manager is a feature built into Windows since Server 2008 R2 and Windows 7. Thorough documentation on how it works is not publicly available, but essentially, it allows users and applications to securely store credentials relevant to other systems and websites. Credentials are stored in special encrypted folders on the computer under the user and system profiles (MITRE ATT&CK):
%UserProfile%\AppData\Local\Microsoft\Vault\%UserProfile%\AppData\Local\Microsoft\Credentials\%UserProfile%\AppData\Roaming\Microsoft\Vault\%ProgramData%\Microsoft\Vault\%SystemRoot%\System32\config\systemprofile\AppData\Roaming\Microsoft\Vault\
Each vault folder contains a Policy.vpol file with AES keys (AES-128 or AES-256) that is protected by DPAPI. These AES keys are used to encrypt the credentials. Newer versions of Windows make use of Credential Guard to further protect the DPAPI master keys by storing them in secured memory enclaves (Virtualization-based Security).
It is possible to export Windows Vaults to .crd files either via Control Panel or with the following command. Backups created this way are encrypted with a password supplied by the user, and can be imported on other Windows systems.
Enumerating credentials with cmdkey
We can use cmdkey to enumerate the credentials stored in the current user's profile:
Stored credentials are listed with the following format:
Target
The resource or account name the credential is for. This could be a computer, domain name, or a special identifier.
Type
The kind of credential. Common types are Generic for general credentials, and Domain Password for domain user logons.
User
The user account associated with the credential.
Persistence
Some credentials indicate whether a credential is saved persistently on the computer; credentials marked with Local machine persistence survive reboots.
The first credential in the command output above, virtualapp/didlogical, is a generic credential used by Microsoft account/Windows Live services. The random looking username is an internal account ID. This entry may be ignored for our purposes.
The second credential, Domain:interactive=SRV01\mcharles, is a domain credential associated with the user SRV01\mcharles. Interactive means that the credential is used for interactive logon sessions. Whenever we come across this type of credential, we can use runas to impersonate the stored user like so:
Extracting credentials with Mimikatz
There are many different tools that can be used to decrypt stored credentials. One of the tools we can use is mimikatz. Even within mimikatz, there are multiple ways to attack these credentials - we can either dump credentials from memory using the sekurlsa module, or we can manually decrypt credentials using the dpapi module. For this example, we will target the LSASS process with sekurlsa:
Note: Some other tools which may be used to enumerate and extract stored credentials included SharpDPAPI, LaZagne, and DonPAPI.
Lab - Questions
What is the password mcharles uses for OneDrive?
RDP to 10.129.234.171 (ACADEMY-PWATTCK-CREDDEV01) with user "sadams" and password "totally2brow2harmon@"
Fristly, download mimikatz into us machine and extact all packages -->
Us binary for win there is x64/mimikatz.exe
Now weak up a samba server to share it file to win \\10.10.14.118\share -->
But they give us an error... so... see the creds saved into the machine :
We are now mcharles user, now use UAC bypass -->
We have two option to make it -->
Now we have a cmd such as administrator and we can read the folder, so... now upload the mimikatz -->
The give us error, try to web
In kali machine
In cmd Admin wind:
Once we have download mimikatz, execute it: mimikatz.exe -->
See all credentials in text plain -->
Last updated