The Dial-Up Password Decoder reveals passwords stored by Windows "Dial-Up Networking" component. RAS credentials are usually stored in LSA Secrets "L$_RasDefaultCredentials" and "RasDialParams!<UserSID>" while all other connection parameters (phone number, ip address....) reside into Phonebook files (.pbk).
The information contained in the list can also be exported into text files by pressing the "Export" button.
This feature of the program follows the same methodology used by Todd Sabin in his PWDUMP2 program to dump LSA secrets present on the system. It uses the "DLL injection" technique to run a thread in the same security context of the Local Security Authority Subsystem process. The thread's executable code must first be copied to the address space of LSASS process and this requires an account with the SeDebugPrivilege user right. By default only Administrators have this right.
Once injected and executed the thread will run with the same access privileges of the Local Security Authority Subsystem; it will load the function "DumpLsa" from Abel.dll which will open and query each secret using the LsarOpenSecret and LsarQuerySecret APIs from LSASRV.DLL. The thread stores the data returned from these functions in a temporary file named lsa.txt located in the same directory of the program. Finally the program extracts from the temporary file all the credentials related to "Dial-Up Networking"
associating them with the parameters found in Phonebook files.
Dial-Up Password Decoder dialog can be activated from the main menu under "Tools" or pressing the relative toolbar button.
This feature requires an account with the SeDebugPrivilege user right. By default only Administrators have this right.
Abel.dll is also required by the remote thread injected into LSASS process.