Windows

BackupCreds – Mastering Credential Dumping In Windows

BackupCreds presents a groundbreaking method for security professionals to exploit SeTrustedCredmanAccessPrivilege, enabling the dumping of stored credentials in Windows environments.

This article delves into the intricate process of leveraging elevated shells for credential extraction, offering a step-by-step guide on accessing and manipulating the Windows Credential Manager.

Discover how BackupCreds transforms security testing and vulnerability assessments with its innovative approach.

________________________________________________
|      _____________________________           |
| [][] _____________________________ [_][_][_] |
| [][] [_][_][_] [_][_][_][_] [_][_] [_][_][_] |
|            Dump all the Creds!               |
| [][] [][][][][][][][][][][][][][_] [][][][]  |
| [][] [_][][][][][][][][][][][][][] [][][][]  |
| [][] [__][][][][][][][][][][][][_] [][][][]  |
| [][] [___][][][][][][][][][][][__] [__][][]  |
|          [_][______________][_]              |
|          Lefteris (lefty) Panos              |
|______________________________________________|

Abusing SeTrusted Credman Access Privilege To Dump User Creds

The program provides the ability to dump the stored credentials a user might have in the Windows Credential Manager.

It is a useful technique in cases where an elevated shell exists and multiple users are currently logged in.

Steps

  1. Finds the right WinLogon process of the user we want to dump the creds
  2. Opens the WinLogon process with PROCESS_QUERY_LIMITED_INFORMATION access
  3. Duplicates token with TOKEN_DUPLICATE access
  4. Turns token to impersonation token
  5. Enables SeTrustedCredmanAccessPrivilege permission
  6. Opens the target process of the user
  7. Steals and impersonates target user
  8. Calls CredBackupCredentials while impersonating the WinLogon token passing a path to write to and a NULL password to disable the user encryption
  9. While still impersonating opens the file and decrypts it using the CryptUnprotectData API
  10. Deletes the file

Usage

backupcreds [PID of target user] [path to save file]

Must be run from an elevated context.

OPSEC

Currently writes to disk to an operator provided path. Will delete the path once done. Accesses WinLogon.

Tamil S

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.

Leave a Comment
Share
Published by
Tamil S
Tags: BackupCredscybersecurityinformationsecuritykalilinuxkalilinuxtools
2 months ago

Recent Posts

Moriarty Project Remastered V4.1.2 – A Comprehensive Guide To Advanced Phone Number Investigation

Moriarty Project is a powerful web based phone number investigation tool. It has 6 features…

19 hours ago

Exif Looter – A Comprehensive Guide To Managing Image Metadata

"Exif Looter" is a powerful tool designed for the extraction and management of metadata from…

19 hours ago

Ngoto – A Tool For Python Developers

"Ngoto" is an innovative Python tool designed to enhance coding efficiency through the integration of…

19 hours ago

OSINT – Comprehensive Toolkit With Docker To Enhance Your Cyber Security Using Vault Security’s Image

Open Source Intelligence (OSINT) involves gathering and analyzing publicly available information for security purposes. Vault…

19 hours ago

GHunt – Mastering Google With Advanced OSINT Techniques

GHunt v2 is a sophisticated offensive Google framework tailored for OSINT tasks and more. With…

19 hours ago

Facebook Friend List Scraper – A Powerful OSINT Tool For Efficient Data Collection

OSINT tool to scrape names and usernames from large friend lists on Facebook, without being…

2 days ago