Windows

BackupCreds – Mastering Credential Dumping In Windows

BackupCreds presents a groundbreaking method for security professionals to exploit SeTrustedCredmanAccessPrivilege, enabling the dumping of stored credentials in Windows environments.

This article delves into the intricate process of leveraging elevated shells for credential extraction, offering a step-by-step guide on accessing and manipulating the Windows Credential Manager.

Discover how BackupCreds transforms security testing and vulnerability assessments with its innovative approach.

________________________________________________
|      _____________________________           |
| [][] _____________________________ [_][_][_] |
| [][] [_][_][_] [_][_][_][_] [_][_] [_][_][_] |
|            Dump all the Creds!               |
| [][] [][][][][][][][][][][][][][_] [][][][]  |
| [][] [_][][][][][][][][][][][][][] [][][][]  |
| [][] [__][][][][][][][][][][][][_] [][][][]  |
| [][] [___][][][][][][][][][][][__] [__][][]  |
|          [_][______________][_]              |
|          Lefteris (lefty) Panos              |
|______________________________________________|

Abusing SeTrusted Credman Access Privilege To Dump User Creds

The program provides the ability to dump the stored credentials a user might have in the Windows Credential Manager.

It is a useful technique in cases where an elevated shell exists and multiple users are currently logged in.

Steps

  1. Finds the right WinLogon process of the user we want to dump the creds
  2. Opens the WinLogon process with PROCESS_QUERY_LIMITED_INFORMATION access
  3. Duplicates token with TOKEN_DUPLICATE access
  4. Turns token to impersonation token
  5. Enables SeTrustedCredmanAccessPrivilege permission
  6. Opens the target process of the user
  7. Steals and impersonates target user
  8. Calls CredBackupCredentials while impersonating the WinLogon token passing a path to write to and a NULL password to disable the user encryption
  9. While still impersonating opens the file and decrypts it using the CryptUnprotectData API
  10. Deletes the file

Usage

backupcreds [PID of target user] [path to save file]

Must be run from an elevated context.

OPSEC

Currently writes to disk to an operator provided path. Will delete the path once done. Accesses WinLogon.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Leave a Comment
Share
Published by
Varshini
Tags: BackupCredscybersecurityinformationsecuritykalilinuxkalilinuxtools
12 months ago

Recent Posts

Starship : Revolutionizing Terminal Experiences Across Shells

Starship is a powerful, minimal, and highly customizable cross-shell prompt designed to enhance the terminal…

14 hours ago

Lemmy : A Decentralized Link Aggregator And Forum For The Fediverse

Lemmy is an innovative, open-source platform designed for link aggregation and discussion, providing a decentralized…

14 hours ago

Massive UX Improvements, Custom Disassemblers, And MSVC Support In ImHex v1.37.0

The latest release of ImHex v1.37.0 introduces a host of exciting features and improvements, enhancing…

16 hours ago

Ghauri : A Powerful SQL Injection Detection And Exploitation Tool

Ghauri is a cutting-edge, cross-platform tool designed to automate the detection and exploitation of SQL…

19 hours ago

Writing Tools : Revolutionizing The Art Of Writing

Writing tools have become indispensable for individuals looking to enhance their writing efficiency, accuracy, and…

19 hours ago

PatchWerk : A Tool For Cleaning NTDLL Syscall Stubs

PatchWerk is a proof-of-concept (PoC) tool designed to clean NTDLL syscall stubs by patching syscall…

2 days ago