# 13 - Stored Credentials and the Windows Vault #### Topics > 1. Introduction to the Windows Shells > 2. Windows Permissions > 3. Reverse Shells in Windows > 4. SeImpersonatePrivilege Exploitation > 5. On Cross Compilation > 6. Windows Services > 7. Weak Service Permissions > 8. Unquoted Service Path > 9. DLL Hijacking > 10. Always Install Elevated > 11. Files with Sensitive Data > 12. Windows Hashes > 13. Stored Credentials and the Windows Vault > 14. Scheduled Task > 15. Critical Registry Paths > 16. Useful Tools > 17. AMSI Bypass ## **Credential Manager** The **Credential Manager** is a Windows feature that provides centralized storage for user credentials such as usernames, passwords, and certificates. It simplifies authentication by securely storing credentials using the **Windows Data Protection API (DPAPI)**. Credentials stored in the manager can be used by applications and services without requiring users to re-enter authentication details, improving convenience and productivity. *** ### **Why is it Dangerous?** Even though credentials in the manager are encrypted using DPAPI, a compromised session exposes all stored credentials. * **Active Use by Attackers**:\ While plaintext passwords may not be accessible, attackers can leverage the stored credentials to authenticate to systems and services. **Key Security Implication**:\ If a session is compromised, all credentials stored in the manager can be used. #### **Best Practices**: * Minimize the storage of sensitive credentials in your session. * Protect your session with strong authentication and physical security. *** ## **Using Credential Manager** **Accessing Credential Manager** Navigate through: ```bash Control Panel → User Accounts → Credential Manager → Web Credentials or Windows Credentials ``` *** **Command-Line Usage** * **List Stored Credentials**: ```bash cmdkey /list ``` * **Add New Credentials**: ```bash cmdkey /add:MyServer /user:MyUser /pass:MyPassword ``` * **Delete Credentials**: ```bash cmdkey /delete:MyServer cmdkey /delete:Domain:interactive=WORKGROUP\Administrator ``` * **Run as Another User and Save Credentials**: ```bash runas /savecred /user:quickem-h5dsq1v\quickemu powershell.exe ``` On subsequent uses, the password will not be requested: ```bash runas /savecred /user:quickem-h5dsq1v\quickemu "cmd.exe" ``` *** ## **Windows Vault** Credential Manager relies on the **Windows Vault** as its storage backend. The vault securely encrypts and manages sensitive data. **Command-Line Access** * **List All Vaults**: ```bash vaultcmd /list ``` * **List Entries in a Vault**: ```bash vaultcmd /listcreds:"Web Credentials" /all ``` * **Dump Vault Data with Mimikatz**: ```bash bmimikatz.exe vault::list ``` *** ## Other Resources * **Credential Manager Store**:\ [Microsoft Documentation](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994565\(v=ws.11\)) * **cmdkey Documentation**:\ [Microsoft Documentation](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey) {% hint style="danger" %} **Disclaimer** **❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!**❗ {% endhint %}