13 - Stored Credentials and the Windows Vault

Topics

Introduction to the Windows Shells
Windows Permissions
Reverse Shells in Windows
SeImpersonatePrivilege Exploitation
On Cross Compilation
Windows Services
Weak Service Permissions
Unquoted Service Path
DLL Hijacking
Always Install Elevated
Files with Sensitive Data
Windows Hashes
Stored Credentials and the Windows Vault
Scheduled Task
Critical Registry Paths
Useful Tools
AMSI Bypass

Credential Manager

The Credential Manager is a Windows feature that provides centralized storage for user credentials such as usernames, passwords, and certificates. It simplifies authentication by securely storing credentials using the Windows Data Protection API (DPAPI).

Credentials stored in the manager can be used by applications and services without requiring users to re-enter authentication details, improving convenience and productivity.

Why is it Dangerous?

Even though credentials in the manager are encrypted using DPAPI, a compromised session exposes all stored credentials.

Active Use by Attackers: While plaintext passwords may not be accessible, attackers can leverage the stored credentials to authenticate to systems and services.

Key Security Implication: If a session is compromised, all credentials stored in the manager can be used.

Best Practices:

Minimize the storage of sensitive credentials in your session.
Protect your session with strong authentication and physical security.

Using Credential Manager

Accessing Credential Manager

Navigate through:

Control Panel → User Accounts → Credential Manager → Web Credentials or Windows Credentials

Command-Line Usage

List Stored Credentials:
```
cmdkey /list
```

Add New Credentials:

cmdkey /add:MyServer /user:MyUser /pass:MyPassword

Delete Credentials:

cmdkey /delete:MyServer
cmdkey /delete:Domain:interactive=WORKGROUP\Administrator

Run as Another User and Save Credentials:

runas /savecred /user:quickem-h5dsq1v\quickemu powershell.exe

On subsequent uses, the password will not be requested:

runas /savecred /user:quickem-h5dsq1v\quickemu "cmd.exe"

Windows Vault

Credential Manager relies on the Windows Vault as its storage backend. The vault securely encrypts and manages sensitive data.

Command-Line Access

List All Vaults:
```
vaultcmd /list
```

List Entries in a Vault:

vaultcmd /listcreds:"Web Credentials" /all

Dump Vault Data with Mimikatz:
```
bmimikatz.exe vault::list
```

Other Resources

Credential Manager Store: Microsoft Documentation
cmdkey Documentation: Microsoft Documentation

Disclaimer

❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!❗

Previous12 - Windows Hashes Next14 - Scheduled Task

Last updated 8 days ago