Remko Weijnen's Blog (Remko's Blog)
About Virtualization, VDI, SBC, Application Compatibility and anything else I feel like
I wrote a small tool that dumps all stored password for the Microsoft Lync Client that I’d like to share here.
It’s a commandline tool that takes no arguments:
Have fun with it!
Lync Password Dumper (6121 downloads)
Please consider donating something (even a small amount is ok) to support this site and my work:
Filed under: Lync
Profile
Top Posts
- How rdp passwords are encrypted
- Enable Developer mode on VW Discover Pro with VCDS
- Switch SATA Operation Mode
- ClickOnce Applications in Enterprise Environments
- Running multiple instances of Lync (howto)
- SasLibEx 2.0 Release Announcement
- Wordpress and the Cookie Monster
- VW RNS 510 Navigation Startup Pictures
- RNS 315 Enable Developer Mode
- Patch Windows 2003 Terminal Server to allow more than 2 concurrent sessions
Recent Comments
Featured Downloads
- AClientFix (6788 downloads)
- AddPrinter2.zip (6343 downloads)
- AdProps (6175 downloads)
- AdSample1 (5627 downloads)
- AMD Radeon Crimson ReLive (6599 downloads)
- Atheros Driver (28027 downloads)
- AutoLogonXP 1.0 (5569 downloads)
- CDZA (4441 downloads)
- ChDrvLetter.zip (6081 downloads)
- ChDrvLetter.zip (7371 downloads)
Blogroll
- Andrew Morgan
- Arnout’s blog
- Assa’s Blog
- Barry Schiffer
- Delphi Praxis
- Ingmar Verheij
- Jedi Api Blog
- Jedi API Library
- Jeroen Tielen
- Kees Baggerman
Categories
- .NET (4)
- Active Directory (28)
- Altiris (36)
- App-V (1)
- Apple (5)
- Application Compatibility (11)
- Automotive (5)
- AWS (1)
- BootCamp (1)
- C# (6)
- C++ (2)
- Citrix (87)
- Delphi (61)
- Embedded (4)
- Exchange (16)
- General (71)
- iPhone (5)
- Java (8)
- Linux (1)
- Lync (2)
- NetScaler (1)
- Oracle (4)
- Other (1)
- Packaging (19)
- PowerShell (56)
- Programming (79)
- Quest (1)
- RES (7)
- script (22)
- ShareFile (1)
- SQL Server (10)
- Strange Error (3)
- Terminal Server (68)
- ThinApp (3)
- ThinKiosk (1)
- Ubuntu (1)
- Unattended Installation (19)
- Uncategorized (51)
- UWP (2)
- Vista (37)
- Visual Studio (1)
- VMWare (26)
- Windows 10 (2)
- Windows 2003 (30)
- Windows 2008 (37)
- Windows 2008 R2 (16)
- Windows 2012 (2)
- Windows 7 (30)
- Windows 8 (4)
- Windows Internals (12)
- Windows XP (16)
Archives
- February 2023 (1)
- October 2022 (3)
- July 2022 (1)
- June 2022 (2)
- October 2019 (1)
- March 2018 (1)
- January 2018 (4)
- December 2017 (3)
- April 2017 (1)
- March 2017 (5)
- February 2017 (4)
- May 2016 (3)
- March 2016 (1)
- October 2015 (2)
- September 2015 (1)
- January 2015 (1)
- August 2014 (1)
- July 2014 (8)
- May 2014 (1)
- November 2013 (1)
- October 2013 (2)
- September 2013 (3)
- August 2013 (4)
- June 2013 (2)
- May 2013 (3)
- April 2013 (5)
- March 2013 (5)
- February 2013 (1)
- January 2013 (5)
- December 2012 (9)
- November 2012 (3)
- October 2012 (3)
- August 2012 (4)
- July 2012 (2)
- June 2012 (1)
- May 2012 (6)
- March 2012 (13)
- February 2012 (12)
- January 2012 (9)
- December 2011 (9)
- November 2011 (4)
- October 2011 (5)
- September 2011 (10)
- August 2011 (10)
- July 2011 (2)
- June 2011 (8)
- May 2011 (12)
- April 2011 (4)
- March 2011 (14)
- February 2011 (8)
- January 2011 (32)
- December 2010 (23)
- November 2010 (19)
- October 2010 (10)
- September 2010 (6)
- August 2010 (1)
- July 2010 (1)
- June 2010 (6)
- March 2010 (7)
- February 2010 (3)
- December 2009 (3)
- November 2009 (11)
- September 2009 (2)
- July 2009 (1)
- June 2009 (5)
- May 2009 (1)
- April 2009 (2)
- March 2009 (3)
- February 2009 (6)
- January 2009 (3)
- December 2008 (8)
- November 2008 (5)
- October 2008 (3)
- September 2008 (3)
- August 2008 (3)
- June 2008 (6)
- May 2008 (2)
- April 2008 (3)
- March 2008 (5)
- January 2008 (3)
- December 2007 (3)
- November 2007 (13)
- October 2007 (10)
8 Responses for "Lync Client Password Recovery"
Great discovery Remko and tool to demonstrate the ease in exploiting this problem.
As a service to Lync administrators trying to protect against this problem, a solution to this problem is to not allow users to populate their Credential Manager store with their NTLM password. This effectively disarms this issue in the first place, and this tool wouldn’t find the user’s Lync credentials.
How does an administrator prevent their users from caching their credentials in the Credential Manager? This can achieved by disabling NTLM authentication on Lync Server. Users would be forced to use Kerberos auth (connected internally only) to obtain a client cert, which can then be used to authenticate to Lync Server using TLS-DSK (internally and externally) instead of their NTLM credentials that gets stored in Credential Manager. This client cert’s private key is non-exportable, and therefore would only be usable on that user’s computer.
How about getting ride of the users’ existing NTLM password that has already been cached in the users’ computer Credential Manager store? The simplest solution is to force the expiration of the users’ password. You would want to do this after enforcing Lync Server to block NTLM auth so that the new password doesn’t get cached again in Credential Manager. The old password will still be in the Credential Manager, but it no longer matters at that point as it would no longer be valid.
Hope this helps all those Lync administrators trying to figure out a solution to the security problem you’ve discovered.
Best regards,
Rui
Hi,
How do you recover it? in which file or registry key? I tried to delete my lync cache (appdata/local/microsoft/communicator) but it still works.
Thanks,
G.
Ok, founded. It uses Windows vault.
Dear Remko,
First, i’m really impress by this discover because you found it in March 2012.
I have the same issue at the moment but i’m really interested by understand how you done for decrypt the password.
As i know the credentials file is encrypted with a SHA hash with a key which is the password of the Windows session.
Is it true ? Or you can decrypt the Lync password from the credentials file with only NTLM decrypt method ?
Thanks for your reply ^^
Thank you!
thank u for this is very good tool lol is in the pc but too lazy to manualy look for it
Bravo.. its working and found my password/ Thank you so much
Hi,
i want to learn how you did this. is it possible to guide me the process of the tool
Leave a reply