Windows Credential Manager
What is Credentials Manager?
Credential Manager is a Windows feature that stores logon-sensitive information for websites, applications, and networks. It contains login credentials such as usernames, passwords, and internet addresses. There are four credential categories:
Web credentials
Windows credentials such as NTLM or Kerberos.
Clear-text usernames and passwords.
Certificate-based credentials
Accessing Credential Manager
We can use vaultcmd to list the current windows vaults available in the Windows target
vaultcmd /list
By default, Windows has two vaults, one for Web and the other one for Windows machine credentials. The above output confirms that we have the two default vaults.
Credential Dumping
The VaultCmd is not able to show the password, but we can rely on other PowerShell Scripts such as Get-WebCredentials.ps1. Ensure to execute PowerShell with bypass policy to import it as a module as follows,
RunAs
An alternative method of taking advantage of stored credentials is by using RunAs. The /savecred argument allows you to save the credentials of the user in Windows Credentials Manager (under the Windows Credentials section). So, the next time we execute as the same user, runas will not ask for a password.
Another way to enumerate stored credentials is by using cmdkey, which is a tool to create, delete, and display stored Windows credentials. By providing the /list argument, we can show all stored credentials, or we can specify the credential to display more details /list:computername
We are going for the last one. The output shows that we have a domain password stored as the thm\thm-local user.
Now let's use runas to execute Windows applications as the thm-local user
A new cmd.exe pops up with a command prompt ready to use. Now run the whoami command to confirm that we are running under the desired user. There is a flag in the c:\Users\thm-local\Saved Games\flag.txt
Mimikatz
Mimikatz can also be used to dump credentials manager using the sekurlsa module
Last updated