creddump - Credential Manager Password Dumper for Windows XP/2003
-----------------------------------------------------------------

Author: Massimiliano Montoro
EMail: mao@oxid.it
Website: http://www.oxid.it


DESCRIPTION:
------------
Credential Manager is a new SSO solution that Microsoft offers in Windows Server 2003 
and Windows XP to provide a secured store for credential information. It allows you 
to input user name and passwords for various network resources and applications once, 
and then have the system automatically supply that information for subsequent visits to 
those resources without your intervention. 
One example is the command:
net use * \\computer_name\share_name /user:user_name password /savecred 

Credential Manager stores user's credentials in the following files:

- Enterprise Credential Set:
\Documents and Settings\%Username%\Application Data\Microsoft\Credentials\%UserSID%\Credentials
- Local Credential Set:
\Documents and Settings\%Username%\Local Settings\Application Data\Microsoft\Credentials\%UserSID%\Credentials

On WindowsXP, the application "Stored User Names and Passwords", that can be found under 
Start-> Settings-> Control Panel-> User Accounts-> %Account% -> Manage my network passwords, 
allows you to manage this kind of credentials.

This program dumps passwords from user's credential files and shows them in they're 
cleartext form.


BUILDING:
---------
The program source code is available at http://www.oxid.it. The package includes the  
VisualC++ workspace file named creddump.dsw that you can use to build the executables.



USAGE:
------
Copy the executable files (creddump.exe, creddump.dll) in the same directory and
type creddump at the command prompt.


HOW IT WORKS:
-------------
The program follows the same methodology used by Todd Sabin in his PWDUMP2 program 
to decrypt credential files. It uses the "DLL injection" technique to run a thread 
in the same security context of the Local Security Authority Subsystem process.
The thread's executable code must first be copied to the address space of LSASS
process and this requires an account with the SeDebugPrivilege user right. By default
only Administrators have this right. 
Once injected and executed, the thread will run with the same access privileges of 
the Local Security Authority Subsystem and will use the native undocumented 
LsaICryptUnprotectData API from LSASRV.DLL to decrypt the credentials file. The thread 
stores the output of this API in a temporary file named cred.txt located in the same 
directory of the program. Finally, user's credentials are dumped and put ont the screen.
Credential Manager can store various kind of passwords, they can be saved as MultiByte or 
WideChar strings, security BLOBS and certificates too. The choice of the final encryption 
method is left to the user. The program will try to recognize plaintext passwords stored 
as MultiByte strings or WideChar strings, and will also decode Passport and Standard
(no entropy) credential BLOBS originally stored using the CryptProtectData API.
 

that's all,
enjoy.

Microsoft, Windows, Windows 2003 and Windows XP are all registered trademarks of the Microsoft Corporation.
