Click here to Skip to main content
13,251,556 members (88,177 online)
Click here to Skip to main content
Add your own
alternative version

Stats

7.1K views
13 bookmarked
Posted 30 Jan 2017

The Secrets of Internet Explorer Credentials

, 30 Jan 2017
Rate this:
Please Sign up or sign in to vote.
Internet Explorer allows two methods of credentials storage: web sites credentials (for example: your Facebook user and password) and autocomplete data. The data can be easily retrieved by anyone who knows how. This article will show you how.

Download IE Credentials Viewer tool

Introduction

This article is the 3rd one of several articles covering the secrets of obtaining stored (and encrypted) credentials stored by browsers (and other applications, for example: MS Outlook). The first article covered Wi-Fi credentials. The 2nd one covers Chrome's credentials. This article covers Internet Explorer and how credentials are stored and can be fetched from it.  

The Vault

Since Windows 7, a Vault was created for storing any sensitive data among it the credentials of Internet Explorer. The Vault is in fact a LocalSystem service - vaultsvc.dll.

Internet Explorer allows two methods of credentials storage: web sites credentials (for example: your Facebook user and password) and autocomplete data. Since version 10, instead of using the Registry a new term was introduced: Windows Vault. Windows Vault is the default storage vault for the credential manager information. To use the "Vault", you load a DLL named "vaultcli.dll" and access its functions as needed.

The Vaultcli DLL

The vaultcli.dll is used to encapsulate the necessary functions to access the Vault. 
Our first step towards fetching the stored credentials would be mapping the necessary functions from this DLL. 

BOOL InitVault(VOID) 
{

    BOOL bStatus = FALSE;

    hVaultLib = LoadLibrary(L"vaultcli.dll");

    if (hVaultLib != NULL) 
    {
        pVaultEnumerateItems = (VaultEnumerateItems)GetProcAddress(hVaultLib, "VaultEnumerateItems");
        pVaultEnumerateVaults = (VaultEnumerateVaults)GetProcAddress(hVaultLib, "VaultEnumerateVaults");
        pVaultFree = (VaultFree)GetProcAddress(hVaultLib, "VaultFree");
        pVaultGetItemW7 = (VaultGetItemW7)GetProcAddress(hVaultLib, "VaultGetItem");
        pVaultGetItemW8 = (VaultGetItemW8)GetProcAddress(hVaultLib, "VaultGetItem");
        pVaultOpenVault = (VaultOpenVault)GetProcAddress(hVaultLib, "VaultOpenVault");
        pVaultCloseVault = (VaultCloseVault)GetProcAddress(hVaultLib, "VaultCloseVault");

        bStatus = (pVaultEnumerateVaults != NULL)
            && (pVaultFree != NULL)
            && (pVaultGetItemW7 != NULL)
            && (pVaultGetItemW8 != NULL)
            && (pVaultOpenVault != NULL)
            && (pVaultCloseVault != NULL)
            && (pVaultEnumerateItems != NULL);
    }
    return bStatus;
}

 

The Process

You need to check which OS is running. If it's Windows 8 or greater, you call VaultGetItemW8. If it isn't, you call VaultGetItemW7.

The next step would be enumerating the vaults. This is done by calling

dwError = pVaultEnumerateVaults(NULL, &dwVaults, &ppVaultGuids);

pVaultEnumerateVaults (which is in fact "VaultEnumerateVaults") is an API call for enumerating all vaults in order to view their contents. 

Next we open each vault and enumerate each item it contains. The code looks like this:

    for (DWORD i = 0; i < dwVaults; i++) 
    {
        dwError = pVaultOpenVault(&ppVaultGuids[i], 0, &hVault);
        // open it
        
        if (dwError == ERROR_SUCCESS) 
        {
            PVOID ppItems;
            DWORD dwItems;

            // enumerate items
            dwError = pVaultEnumerateItems(hVault, VAULT_ENUMERATE_ALL_ITEMS, &dwItems, &ppItems);

            if (dwError == ERROR_SUCCESS) 
            {
                // for each item
                for (DWORD j = 0; j < dwItems; j++) 
                {
                    VAULT_ITEM item;
                    BOOL bResult = FALSE;
                    memset(&item, 0, sizeof(VAULT_ITEM));

                    if (bWin80rGreater) 
                    {
                        bResult = GetItemW8(hVault, (PVAULT_ITEM_W8)ppItems, j, item);
                    }
                    else 
                    {
                        bResult = GetItemW7(hVault, (PVAULT_ITEM_W7)ppItems, j, item);
                    }
...

Now we need to discuss our own data structure for storing browsers (and other programs') credentials.

At this point, 'item' is holding a single credentials entry and we need to store it in our own data structure, the one we designed to store credentials from various sources. 

The SGBrowserCredentials Data Structure

The SGBrowserCredentials (Secured Globe Browser Credentials) is used for any process of fetching browser credentials and is capable of holding the relevant fields which are common to all browsers. 

We define the single element and a CSimpleArray for the purpose of collecting the results of our program. We also use CTime for the date/time stamp of each entry. We do so to be able to compare credentials from different sources (browsers), as each browser use a different method for storing date and time. The importance of date/time for the scope of our program is to be able to use it later for filtering the results. For example: being able to tell which new credentials were created since 1.1.2017 or since last time we checked.

typedef struct _SGBrowserCredentials
{
    int Browser; // 0 = chrome, 1 = ie, 2 = firefox, 
    TCHAR Site[256];
    TCHAR UserName[80];
    TCHAR Password[256];
    CTime DateCreated;
    _SGBrowserCredentials()
    {
        Site[0] = 0;
        UserName[0] = 0;
        Password[0] = 0;
        DateCreated = NULL;
    }
} SGBrowserCredentials;

typedef CSimpleArray<SGBrowserCredentials> SGBrowserCredentialsArray;

In our case we want our tool to only display credentials with actual passwords set. There are also stored entries for web sites with no stored passwords and yet, these sites are stored in the vault as well. 

if (bResult && wcscmp(item.Password.c_str(), L"") && wcscmp(item.Password.c_str(), L" "))
{
    SGBrowserCredentials singleItem;
    wcscpy(singleItem.UserName, item.Account.c_str()); // User name
    wcscpy(singleItem.Site, item.Url.c_str()); // URL
    singleItem.Browser = 1; // better replace this value with enum{chrome, ie, firefox} ...
    singleItem.DateCreated = CTime(item.LastModified); // Date stored as CTime
    wcscpy(singleItem.Password, item.Password.c_str()); // Password
    credentials->Add(singleItem);        
}

With this dynamic array we can either display it in our user interface or add it to a textual report (in fact, we do both). Source code for downloading will be added later on.

The Tool

When you start Internet Explorer Credentials Viewer, a split of a second after, you will see a screen similar to this one. All your stored credentials will be displayed.

Further Links

Please visit the Source Forge page of the IE Credentials Viewer tool. 

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Michael Haephrati
CEO Secured Globe, Inc.
United States United States
Michael Haephrati, is an entrepreneur, inventor and a musician. Haephrati worked on many ventures starting from HarmonySoft, designing Rashumon, the first Graphical Multi-lingual word processor for Amiga computer. During 1995-1996 he worked as a Contractor with Apple at Cupertino. Worked at a research institute made the fist steps developing the credit scoring field in Israel. He founded Target Scoring and developed a credit scoring system named ThiS, based on geographical statistical data, participating VISA CAL, Isracard, Bank Leumi and Bank Discount (Target Scoring, being the VP Business Development of a large Israeli institute).

During 2000, he founded Target Eye, and developed the first remote PC surveillance and monitoring system, named Target Eye.


Other ventures included: Data Cleansing (as part of the DataTune system which was implemented in many organizations.



You may also be interested in...

Pro
Pro

Comments and Discussions

 
GeneralMy vote of 5 Pin
Hans Flocken30-Jan-17 12:37
memberHans Flocken30-Jan-17 12:37 
GeneralMy vote of 5 Pin
Hans Flocken30-Jan-17 12:36
memberHans Flocken30-Jan-17 12:36 
QuestionUser profiles... Pin
dandy7230-Jan-17 11:02
memberdandy7230-Jan-17 11:02 
AnswerRe: User profiles... Pin
Michael Haephrati30-Jan-17 12:46
professionalMichael Haephrati30-Jan-17 12:46 
GeneralRe: User profiles... Pin
dandy7230-Jan-17 17:05
memberdandy7230-Jan-17 17:05 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.171114.1 | Last Updated 30 Jan 2017
Article Copyright 2017 by Michael Haephrati
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid