Credential Manager is a new SSO solution that Microsoft offers in Windows
Server 2003 and Windows XP to provide a secured store for credential information.
It allows you to input user name and passwords for various network resources
and applications once, and then have the system automatically supply that information
for subsequent visits to those resources without your intervention.
One example is the command:
net use * \\computer_name\share_name /user:user_name
Credential Manager stores user's credentials in the following files:
- Enterprise Credential Set:
\Documents and Settings\%Username%\Application
- Local Credential Set:
\Documents and Settings\%Username%\Local Settings\Application
On WindowsXP, the application "Stored User Names and Passwords",
that can be found under Start-> Settings-> Control Panel-> User Accounts->
%Account% -> Manage my network passwords, allows you to manage this kind
This program dumps passwords from user's credential files and shows them
in they're cleartext form.
HOW IT WORKS:
The program follows the same methodology used by Todd Sabin
in his PWDUMP2 program to decrypt credential files. It uses the "DLL injection"
technique to run a thread in the same security context of the Local Security
Authority Subsystem process. The thread's executable code must first be copied
to the address space of LSASS process and this requires an account with the
SeDebugPrivilege user right. By default only Administrators have this right.
Once injected and executed, the thread will run with the same access privileges
of the Local Security Authority Subsystem and will use the native undocumented
LsaICryptUnprotectData API from LSASRV.DLL to decrypt the credentials file.
The thread stores the output of this API in a temporary file named cred.txt
located in the same directory of the program. Finally, user's credentials are
dumped and put ont the screen. Credential Manager can store various kind of
passwords, they can be saved as MultiByte or WideChar strings, security BLOBS
and certificates too. The choice of the final encryption method is left to the
user. The program will try to recognize plaintext passwords stored as MultiByte
strings or WideChar strings, and will also decode Passport and Standard (no
entropy) credential BLOBS originally stored using the CryptProtectData API.
creddump - Credential Manager
Password Dumper for Windows XP/2003
binaries and source code
Send comments to oxid.it forum.