Lync Client Password Recovery

I wrote a small tool that dumps all stored password for the Microsoft Lync Client that I’d like to share here.

It’s a commandline tool that takes no arguments:

Lync Password Dumper

Have fun with it!

Lync Password Dumper (4072)

Leave a Reply

  1. Great discovery Remko and tool to demonstrate the ease in exploiting this problem.

    As a service to Lync administrators trying to protect against this problem, a solution to this problem is to not allow users to populate their Credential Manager store with their NTLM password. This effectively disarms this issue in the first place, and this tool wouldn’t find the user’s Lync credentials.

    How does an administrator prevent their users from caching their credentials in the Credential Manager? This can achieved by disabling NTLM authentication on Lync Server. Users would be forced to use Kerberos auth (connected internally only) to obtain a client cert, which can then be used to authenticate to Lync Server using TLS-DSK (internally and externally) instead of their NTLM credentials that gets stored in Credential Manager. This client cert’s private key is non-exportable, and therefore would only be usable on that user’s computer.

    How about getting ride of the users’ existing NTLM password that has already been cached in the users’ computer Credential Manager store? The simplest solution is to force the expiration of the users’ password. You would want to do this after enforcing Lync Server to block NTLM auth so that the new password doesn’t get cached again in Credential Manager. The old password will still be in the Credential Manager, but it no longer matters at that point as it would no longer be valid.

    Hope this helps all those Lync administrators trying to figure out a solution to the security problem you’ve discovered.

    Best regards,

  2. Hi,
    How do you recover it? in which file or registry key? I tried to delete my lync cache (appdata/local/microsoft/communicator) but it still works.


  3. Dear Remko,

    First, i’m really impress by this discover because you found it in March 2012.
    I have the same issue at the moment but i’m really interested by understand how you done for decrypt the password.
    As i know the credentials file is encrypted with a SHA hash with a key which is the password of the Windows session.

    Is it true ? Or you can decrypt the Lync password from the credentials file with only NTLM decrypt method ?

    Thanks for your reply ^^

  4. thank u for this is very good tool lol is in the pc but too lazy to manualy look for it