Internet Explorer allows two methods of credentials storage: web sites credentials (for example: your Facebook user and password) and autocomplete data. The data can be easily retrieved by anyone who knows how. This article will show you how.
Introduction
This article is the third one of several articles covering the secrets of obtaining stored (and encrypted) credentials stored by browsers (and other applications, for example: MS Outlook). The first article covered Wi-Fi credentials. The second one covers Chrome's credentials. This article covers Internet Explorer and how credentials are stored and can be fetched from it.
The Vault
Since Windows 7, a Vault was created for storing any sensitive data, among it the credentials of Internet Explorer. The Vault is in fact a LocalSystem service - vaultsvc.dll.
Internet Explorer allows two methods of credentials storage: web sites credentials (for example: your Facebook user and password) and autocomplete data. Since version 10, instead of using the Registry, a new term was introduced: Windows Vault. Windows Vault is the default storage vault for the credential manager information. To use the "Vault", you load a DLL named "vaultcli.dll" and access its functions as needed.
The Vaultcli DLL
The vaultcli.dll is used to encapsulate the necessary functions to access the Vault.
Our first step towards fetching the stored credentials would be mapping the necessary functions from this DLL.
BOOL InitVault(VOID)
{
BOOL bStatus = FALSE;
hVaultLib = LoadLibrary(L"vaultcli.dll");
if (hVaultLib != NULL)
{
pVaultEnumerateItems = (VaultEnumerateItems)GetProcAddress
(hVaultLib, "VaultEnumerateItems");
pVaultEnumerateVaults = (VaultEnumerateVaults)GetProcAddress
(hVaultLib, "VaultEnumerateVaults");
pVaultFree = (VaultFree)GetProcAddress(hVaultLib, "VaultFree");
pVaultGetItemW7 = (VaultGetItemW7)GetProcAddress(hVaultLib, "VaultGetItem");
pVaultGetItemW8 = (VaultGetItemW8)GetProcAddress(hVaultLib, "VaultGetItem");
pVaultOpenVault = (VaultOpenVault)GetProcAddress(hVaultLib, "VaultOpenVault");
pVaultCloseVault = (VaultCloseVault)GetProcAddress(hVaultLib, "VaultCloseVault");
bStatus = (pVaultEnumerateVaults != NULL)
&& (pVaultFree != NULL)
&& (pVaultGetItemW7 != NULL)
&& (pVaultGetItemW8 != NULL)
&& (pVaultOpenVault != NULL)
&& (pVaultCloseVault != NULL)
&& (pVaultEnumerateItems != NULL);
}
return bStatus;
}
The Process
You need to check which OS is running. If it's Windows 8 or greater, you call VaultGetItemW8. If it isn't, you call VaultGetItemW7.
The next step would be enumerating the vaults. This is done by calling:
dwError = pVaultEnumerateVaults(NULL, &dwVaults, &ppVaultGuids);
pVaultEnumerateVaults (which is in fact "VaultEnumerateVaults") is an API call for enumerating all vaults in order to view their contents.
Next, we open each vault and enumerate each item it contains. The code looks like this:
for (DWORD i = 0; i < dwVaults; i++)
{
dwError = pVaultOpenVault(&ppVaultGuids[i], 0, &hVault);
if (dwError == ERROR_SUCCESS)
{
PVOID ppItems;
DWORD dwItems;
dwError = pVaultEnumerateItems
(hVault, VAULT_ENUMERATE_ALL_ITEMS, &dwItems, &ppItems);
if (dwError == ERROR_SUCCESS)
{
for (DWORD j = 0; j < dwItems; j++)
{
VAULT_ITEM item;
BOOL bResult = FALSE;
memset(&item, 0, sizeof(VAULT_ITEM));
if (bWin80rGreater)
{
bResult = GetItemW8(hVault, (PVAULT_ITEM_W8)ppItems, j, item);
}
else
{
bResult = GetItemW7(hVault, (PVAULT_ITEM_W7)ppItems, j, item);
}
...
Now we need to discuss our own data structure for storing browsers (and other programs') credentials.
At this point, 'item' is holding a single credentials entry and we need to store it in our own data structure, the one we designed to store credentials from various sources.
The SGBrowserCredentials Data Structure
The SGBrowserCredentials (Secured Globe Browser Credentials) is used for any process of fetching browser credentials and is capable of holding the relevant fields which are common to all browsers.
We define the single element and a CSimpleArray for the purpose of collecting the results of our program. We also use CTime for the date/time stamp of each entry. We do so to be able to compare credentials from different sources (browsers), as each browser use a different method for storing date and time. The importance of date/time for the scope of our program is to be able to use it later for filtering the results. For example: being able to tell which new credentials were created since 1.1.2017 or since the last time we checked.
typedef struct _SGBrowserCredentials
{
int Browser; TCHAR Site[256];
TCHAR UserName[80];
TCHAR Password[256];
CTime DateCreated;
_SGBrowserCredentials()
{
Site[0] = 0;
UserName[0] = 0;
Password[0] = 0;
DateCreated = NULL;
}
} SGBrowserCredentials;
typedef CSimpleArray<SGBrowserCredentials> SGBrowserCredentialsArray;
In our case, we want our tool to only display credentials with actual passwords set. There are also stored entries for web sites with no stored passwords and yet, these sites are stored in the vault as well.
if (bResult && wcscmp(item.Password.c_str(), L"") && wcscmp(item.Password.c_str(), L" "))
{
SGBrowserCredentials singleItem;
wcscpy(singleItem.UserName, item.Account.c_str()); wcscpy(singleItem.Site, item.Url.c_str()); singleItem.Browser = 1; singleItem.DateCreated = CTime(item.LastModified); wcscpy(singleItem.Password, item.Password.c_str()); credentials->Add(singleItem);
}
With this dynamic array, we can either display it in our user interface or add it to a textual report (in fact, we do both). The source code for downloading will be added later on.
The Tool
When you start Internet Explorer Credentials Viewer, a split of a second after, you will see a screen similar to this one. All your stored credentials will be displayed.
Further Links
Please visit my Github repos. There is also another article of mine about Chrome.
History
- 30th January, 2017: Initial version
- July 18th, fixed memory leaks.
