Where Credentials are Stored?

General Concept

Applications that implement authentication mechanisms compare user credentials against local or remote databases.

Local credential storage ➤ Credentials are stored on the system.
Web applications ➤ Vulnerable to SQL Injection attacks, which may expose sensitive data, including credentials in plaintext.

⚠️ Example: The RockYou breach exposed 32 million user accounts due to storing credentials in plaintext. This led to the creation of the famous password wordlist rockyou.txt (~14 million passwords).

Linux Credential Storage

Linux manages everything as files – even credentials. Here's how credentials are stored and secured:

📁 `/etc/shadow` File

Encrypted credentials are stored in /etc/shadow:

root@htb:~# cat /etc/shadow

...SNIP...
htb-student:$y$j9T$3QSBB6CbHEu...SNIP...f8Ms:18955:0:99999:7:::

Structure:

<username>:<encrypted password>:<last change>:<min age>:<max age>:<warning>:<inactivity>:<expiration>:<reserved>

Example Breakdown:

htb-student ➤ Username
$y$j9T$3QSBB6CbHEu...f8Ms ➤ Encrypted password

🔐 Hash Format:

$<id>$<salt>$<hashed_password>

Hash ID Types:

Algorithm

$1$

MD5

$2a$

Blowfish

$5$

SHA-256

$6$

SHA-512

$sha1$

SHA1crypt

$y$

Yescrypt

$gy$

Gost-Yescrypt

$7$

Scrypt

📁 `/etc/passwd` File

Used for user info but not encrypted passwords anymore.

z3tssu@htb:~$ cat /etc/passwd
...SNIP...
htb-student:x:1000:1000:,,,:/home/htb-student:/bin/bash

Structure:

<username>:x:<uid>:<gid>:<comment>:<home dir>:<shell>

x means the password is stored in /etc/shadow
File is readable by all, hence moved encrypted passwords to /etc/shadow

❗ Misconfigured permissions on /etc/shadow can lead to privilege escalation.

Windows Authentication & Credential Storage

🧩 Authentication Process

Windows authentication is complex and modular:

🔄 Process Involves:

WinLogon.exe
LogonUI
Credential Providers
LSASS
Authentication Packages
SAM or Active Directory

📜 Key DLLs (Authentication Packages):

DLL

Description

Lsasrv.dll

Enforces policies, selects NTLM/Kerberos

Msv1_0.dll

Local logons

Samsrv.dll

Local user accounts (SAM DB)

Kerberos.dll

Kerberos protocol

Netlogon.dll

Network logon

Ntdsa.dll

Active Directory registry interactions

LSASS (Local Security Authority Subsystem Service)

File: %SystemRoot%\System32\lsass.exe
Functions:
- Authenticates users
- Enforces security policies
- Logs security audit events

LSASS is like the vault of Windows authentication systems.

SAM Database

Location: %SystemRoot%\System32\config\SAM (mounted on HKLM\SAM)
Stores:
- Usernames
- Passwords (in LM or NTLM hash format)
🔐 Requires SYSTEM-level privileges to access
Protected with SYSKEY (introduced in Windows NT 4.0)

Domain-Based Authentication

If Windows is part of a Domain, credentials are validated against Active Directory stored in the NTDS.dit file.

📁 NTDS.dit File:

Location: %SystemRoot%\ntds\ntds.dit
Found on: Domain Controllers
Stores:
- User, group, and computer accounts
- Password hashes
- Group policy objects

🧪 We will explore credential extraction methods from NTDS.dit.

Credential Manager

A built-in feature that stores saved credentials for:

Network resources
Websites

📁 Location:

C:\Users\[Username]\AppData\Local\Microsoft\Vault\
or
C:\Users\[Username]\AppData\Local\Microsoft\Credentials\

🔐 Credentials are encrypted and user-specific. Decryption methods exist and will be explored hands-on.

PreviousPassword Attacks NextJohn The Ripper

Last updated 9 months ago

hashtagGeneral Concept

hashtagLinux Credential Storage

hashtag📁 /etc/shadow File

hashtag🔐 Hash Format:

hashtag📁 /etc/passwd File

hashtagWindows Authentication & Credential Storage

hashtag🧩 Authentication Process

hashtagLSASS (Local Security Authority Subsystem Service)

hashtagSAM Database

hashtagDomain-Based Authentication

hashtagCredential Manager