Introduction

Credential Manager is a new SSO solution that Microsoft offers in Windows Server 2003 and Windows XP to provide a secured store for credential information. It allows you to input user names and passwords for various network resources and applications once, and then have the system automatically supply that information for subsequent visits to those resources without your intervention.

 

For example when you use the command:
net use * \\computer_name\share_name /user:user_name password /savecred

 

Credential Manager stores the supplied password in the so called "Enterprise Credential Set" of the local machine.

 

This set of credentials is stored in the file

\Documents and Settings\%Username%\Application Data\Microsoft\Credentials\%UserSID%\Credentials

and is encrypted using the DPAPI subsystem.

 

There is also another set used for credentials that should persist on the local machine only and cannot be used in roaming profiles, this is called "Local Credential Set" and  it refers to the file:
\Documents and Settings\%Username%\Local Settings\Application Data\Microsoft\Credentials\%UserSID%\Credentials

 

You can  find more information about this feature at the following link:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/dpapiusercredentials.asp

 

Microsoft Windows XP/2003 exports some APIs that application developers can use to interact with the Credential Manager; for example the function

 

BOOL CredEnumerate (LPCSTR Filter, DWORD Flags, DWORD* Count, PCREDENTIAL** Credentials)

 

can be used to enumerate all cached resources and passwords but only some of these credentials can be viewed in clear text.

Accordingly with the MSDN documentation, Credential Manager can store different types of credentials under the form of passwords, security BLOBS or certificate files.

 

Value

Description

CRED_TYPE_GENERIC

The credential is a generic credential. The credential will not be used by any particular authentication package. The credential will be stored securely but has no other significant characteristics.

CRED_TYPE_DOMAIN_PASSWORD

The credential is a password credential and is specific to Microsoft's authentication packages. The NTLM, Kerberos, and Negotiate authentication packages will automatically use this credential when connecting to the named target.

CRED_TYPE_DOMAIN_CERTIFICATE

The credential is a certificate credential and is specific to Microsoft's authentication packages. The Kerberos, Negotiate, and Schannel authentication packages automatically use this credential when connecting to the named target.

CRED_TYPE_DOMAIN_VISIBLE_PASSWORD

The credential is a password credential and is specific to Microsoft's authentication packages. The Passport authentication package will automatically use this credential when connecting to the named target.

Additional values will be defined in the future. Applications should be written to allow for credential types they do not understand.

 

If you use the above function to enumerate a credential of type CRED_TYPE_DOMAIN_PASSWORD for example, the API will not return the cached password in clear text form.

 

Non-developer users can interact with Credential Manager using the application "Stored User Names and Passwords" that can be found under:

Start-> Settings-> Control Panel-> User Accounts-> %Account% -> Manage my network passwords.

 

 

 

As you can see from the image above this application cannot show you what the passwords cached into your system are.

How it works

This feature of the program follows the same methodology used by Todd Sabin in his PWDUMP2 program to decrypt credential files. It uses the "DLL injection" technique to run a thread in the same security context of the Local Security Authority Subsystem process. The thread's executable code must first be copied to the address space of LSASS process and this requires an account with the SeDebugPrivilege user right. By default only Administrators have this right.

Once injected and executed, the thread will run with the same access privileges as the Local Security Authority Subsystem and will use the "DumpCF" function of Abel.dll to call the native undocumented LsaICryptUnprotectData API from LSASRV.DLL end decrypt the credential's files. The thread stores the output of this API in a temporary file named cred.txt located in the same directory of the program. Finally, user's credentials are dumped and put on the screen.

 

Credential Manager can store various kinds of passwords; they can be saved as MultiByte or WideChar strings, security BLOBS and certificates too. The choice of the final encryption method is left to the user.

The program will try to recognize plain text passwords stored as MultiByte strings or WideChar strings, and will also decode Passport and Standard (no entropy) credential BLOBS originally encrypted using the CryptProtectData API.

Usage

Credential Manager Password Decoder dialog can be activated from the main menu under "Tools" or pressing the relative toolbar button.

Requirements

This feature requires an account with the SeDebugPrivilege user right. By default only Administrators have this right.

Abel.dll is also required by the remote thread injected into LSASS process.