Didier Stevens

Friday 26 September 2008

Quickpost: Stored User Names and Passwords

Filed under: Encryption,Quickpost — Didier Stevens @ 19:05

“Where does Windows store this password?” “Is it safe there?”

I regularly get asked these questions, and they frequently appear on forums.

Microsoft has developed several technologies to store and protect credentials, and to add to the confusion, Microsoft has renamed some of these technologies over the years…

A list: LSA, Protected Storage, Windows Data Protection (DPAPI), Stored User Names and Passwords, …

Last question I read was: where does runas /savecred store the password? It gets stored in Stored User Names and Passwords. Before storing the password:

And after:

Nirsoft has a tool (CredView) to dump passwords stored in Stored User Names and Passwords:

The CredRead function (used by CredView) will not retrieve Windows passwords (domain and local) unless it is called from the LSA process. That’s why CredView doesn’t display the testrunas password (data).

If you convert CredView to a DLL and inject it in the LSA process, you’ll be able to retrieve the passwords. This is exactly what Cain & Abel does, and why you need admin rights (SeDebugPrivilege to be precise).

Quickpost info

4 Comments »

  1. I tried with regmon/filemon to find where the credentials actually stored, still not sure:
    hkcu\Software\Microsoft\Protected Storage System Provider,
    \documents and settings\username\Application Data\Microsoft\Credentials or hklm\security? sam

    Comment by unary — Friday 26 September 2008 @ 21:44

  2. No, when adding the first credentials, a file (credentials.sys) was create here:
    C:\Documents and Settings\%Username%\Application Data\Microsoft\Credentials\%UserSID%\Credentials

    And each time I added credentials, the file grew in size (128 bytes).
    And decreased (128 bytes) when I removed a credential.

    Comment by Didier Stevens — Friday 26 September 2008 @ 21:49

  3. […] Filed under: Encryption, Quickpost, Reverse Engineering — Didier Stevens @ 16:06 Another stored password question I was asked: where does SQL Server 2005 Management Studio store the passwords, and are they […]

    Pingback by Quickpost: SQL Server 2005 Management Studio and Password Management « Didier Stevens — Monday 29 September 2008 @ 16:08

  4. […] Quickpost: Stored User Names and Passwords Didier gives us some interesting info about where Windows keeps stored passwords. He also points us to some tools to work with them. […]

    Pingback by Interesting Information Security Bits for 09/29/2008 « Infosec Ramblings — Monday 29 September 2008 @ 20:41


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.