General
Saved Windows credentials refer to the user names and passwords that are stored on a computer to allow the user to log in to certain systems or resources automatically. These credentials are typically saved in the Windows Credential Manager, which is a built-in tool that allows the user to manage their saved credentials.
Saved Windows credentials can be exploited in several ways:
-
Using saved credentials to log in to systems or resources: An attacker who has access to the saved credentials could potentially use them to log in to systems or resources that the user has access to.
-
Brute-forcing saved credentials: An attacker could use a brute-force attack to try to guess the password for a saved credential by trying different combinations of characters.
-
Extracting saved credentials: An attacker could use a tool to extract the saved credentials from the Windows Credential Manager, potentially allowing the attacker to use the credentials to log in to systems or resources.
Commands
Windows allows us to use other users' credentials. This function also gives the option to save these credentials on the system. The command below will list saved credentials:
cmdkey /list
While you can't see the actual passwords, if you notice any credentials worth trying, you can use them with the runas
 command and the /savecred
 option, as seen below.
runas /savecred /user:admin cmd.exe
PuTTY (Saved Credential) PuTTY is an SSH client commonly found on Windows systems. Instead of having to specify a connection's parameters every single time, users can store sessions where the IP, user and other configurations can be stored for later use. While PuTTY won't allow users to store their SSH password, it will store proxy configurations that include cleartext authentication credentials.
To retrieve the stored proxy credentials, you can search under the following registry key for ProxyPassword with the following command:
```
reg query HKEY_CURRENT_USER\Software\{USER}\PuTTY\Sessions\ /f "Proxy" /s
```