Tuesday, May 5, 2015

Dumping user passwords in plaintext on Windows 8.1 and Server 2012

Couple of days back, I read this very interesting post on the TrustedSec's blog. According to the post,  it is possible to dump passwords in plain from Windows 8.1 with a simple Registry hack. All we need to do is:

1. Create the registry key property "UseLogonCredential" at HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest and set its value to 1.
2. Lock the target computer.
3. Run Mimikatz when a user logs in.

Simple, isn't it? We can use PowerShell to easily achieve the above steps. 

Registry key property can be created with:
The target computer can be locked with the code found here (Thanks @subTee) :
The computer unlock event can be captured with (Thanks @mattifestation) :

Above could be assembled in a PowerShell script for easy use. Let me give you Invoke-MimikatzWdigestDowngrade.ps1. The name is too long for a single script but I like it :) It uses Invoke-Mimikatz from PowerSploit (thanks to @JoesphBialek and @gentilkiwi for that). Invoke-MimikatzWdigestDowngrade is available here in the github repo of Nishang.

Here is the script in action on a Windows Server 2012:

Without the downgrade, Invoke-Mimikatz on a Server 2012 machine looks like this:

And with Invoke-MimikatzWdigestDowngrade (AFTER the user unlocks the machine):
Bingo! We successfully dumped user password in plain.

Notice that the event trigger started a job and we may need to use Get-Job | Recieve-Job cmdlets to see the output.

Below video shows the script in action:

For access to the remote machine, I used PowerShell shells like Powercat and couple of custom PowerShell shells which I will publish soon. 
Unfortunately, in my tests, the script doesn't work from PowerShell remoting and meterpreter. As far as I know, inability to run scripts in user context is the reason for failure in PowerShell remoting. But I am unaware of why it is not working with meterpreter.

This is one of the various examples where PowerShell enahnces a penetration test by combining various simple techniques together. Knowing PowerShell is crucial for better security testing from both red team's and blue team's perspective.  

Things to note/Meh! :

If you liked the post and want to learn more and/or want to support my research and work, join me for a two days training "PowerShell for Penetration Testers" at:

NolaCon, New Orleans (June 10-11th) - https://nolacon.com/powershell-for-penetration-testers/
Shakacon, Honolulu (July 6-7th) - http://shakacon.org/

1 comment:

  1. https://www.k33bz.com/blog/2015/05/06/rt-n1tr0g3n_com-dumping-user-passwords-in-plaint/