How to Find Hidden & Saved Passwords in Windows?
Windows may or may not store your credentials in various locations within the operating system.The credentials are stored in encrypted format, but can easily be decrypted.
Lets find out how..
Windows Credential Manager:
Start → Type Credential Manager
There are two categories: Web Credentials and Windows Credentials.
Ø Web Credentials: The web credentials will have any passwords from sites that you saved while browsing in Internet Explorer or Microsoft Edge.
(Even if you turn off the save password option from the browser, the windows credential manager has the passwords saved with it. The user might not be aware of that)
Ø Windows Credentials: These are credentials when connecting to network shares, different computers on the network, or network devices such as a NAS.
Google Chrome Saved Password:
Ø Saved Passwords
Ø Saved Payment Details
Located in the C:\Users\Lenovo\AppData\Local\Google\Chrome\User Data\Default\Login Data
Access Windows Credential Manager using Lolbins: vaultcmd.exe
The vaultcmd executable is a Microsoft Windows Operating System commandline program stored in the %SYSTEM% folder.
Vaultcmd creates stores and deletes credentials. The advantage of storing the credentials on a computer is a time-saver for the legitimate users; however, the same can be said for unauthorized users. Once the credentials are restored, the attackers can simply use “vaultcmd” commands to figure out what they have gained access to.
Third-Party Utilities(Tools):
Ø EncryptedRegView: The program will then scan the registry and decrypt any passwords it finds in the registry. EncryptedRegView is a tool for Windows that scans the Registry of your current running system or the Registry of external hard drive you choose and searches for data encrypted with DPAPI (Data Protection API). EncryptedRegView starts to scan the Registry and searches for DPAPI-encrypted data. When it finds encrypted data, it tries to decrypt it.
Ø CredentialsFileView: A simple tool for Windows that decrypts and displays the passwords and other data stored inside Credentials files of Windows. You can use it to decrypt the Credentials data of your currently running system, as well as the Credentials data stored on external hard drive.
Ø WebBrowserPassView: “WebBrowserPassView” is a password recovery tool for windows that reveals the passwords stored by the following Web browsers: Internet Explorer (Version 4.0–11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera. This tool can be used to recover your lost/forgotten password of any Website, including popular Web sites, like Facebook, Yahoo, Google, and GMail, as long as the password is stored by your Web Browser.
Attackers can use this tools to find out you save browser passwords. For example:
WebBrowserPassView.exe /stabular
This command runs the executable from cmdline and save the passwords in a tabular text file. And later this file can be exfiltrated out side the network.
Windows vault files are stored in the following folders:
- C:\Users\[User Profile]\AppData\Local\Microsoft\Vault
- C:\ProgramData\Microsoft\Vault
- C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Vault
Ø VaultPassView: Windows 10/8/7 that decrypts and displays the passwords and other data stored inside ‘Windows Vault’.
Inside these vault folders, there is Policy.vpol filename that contains the encryption key. The encryption key is used to decrypt the .vcrd files in the same vault folder.
Have fun and be safe…
