Couple of days back, I read this very interesting post on the TrustedSec's blog. According to the post, it is possible to dump passwords in plain from Windows 8.1 with a simple Registry hack. All we need to do is:
1. Create the registry key property "UseLogonCredential" at HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest and set its value to 1.
2. Lock the target computer.
3. Run Mimikatz when a user logs in.
Simple, isn't it? We can use PowerShell to easily achieve the above steps.
Registry key property can be created with:
The target computer can be locked with the code found here (Thanks @subTee) :
The computer unlock event can be captured with (Thanks @mattifestation) :
Above could be assembled in a PowerShell script for easy use. Let me give you Invoke-MimikatzWdigestDowngrade.ps1. The name is too long for a single script but I like it :) It uses Invoke-Mimikatz from PowerSploit (thanks to @JoesphBialek and @gentilkiwi for that). Invoke-MimikatzWdigestDowngrade is available here in the github repo of Nishang.
Here is the script in action on a Windows Server 2012:
Without the downgrade, Invoke-Mimikatz on a Server 2012 machine looks like this:
And with Invoke-MimikatzWdigestDowngrade (AFTER the user unlocks the machine):
Bingo! We successfully dumped user password in plain.
Notice that the event trigger started a job and we may need to use Get-Job | Recieve-Job cmdlets to see the output.
Below video shows the script in action:
For access to the remote machine, I used PowerShell shells like Powercat and couple of custom PowerShell shells which I will publish soon.
Unfortunately, in my tests, the script doesn't work from PowerShell remoting and meterpreter. As far as I know, inability to run scripts in user context is the reason for failure in PowerShell remoting. But I am unaware of why it is not working with meterpreter.
This is one of the various examples where PowerShell enahnces a penetration test by combining various simple techniques together. Knowing PowerShell is crucial for better security testing from both red team's and blue team's perspective.
Things to note/Meh! :
- This script makes changes to the target by adding a registry key property and the setting is removed after the script execution. Administrative privileges required
- User interaction is required as it is the user who unlocks the machine. We can use Invoke-CredentialsPhish as well - https://github.com/samratashok/nishang/blob/master/Gather/Invoke-CredentialsPhish.ps1
- We are forcing a machine lock on the user. Really noisy and suspicious.
- Credentials are available in plain with WDigest for the entire length of the current session.
- There are surely other ways of doing this: https://twitter.com/gentilkiwi/status/594159340338151424
- A better version of this code would be out soon. I will update this code accordingly. https://twitter.com/subTee/status/594374626194534400
If you liked the post and want to
learn more and/or want to support my research and work, join me for a
two days training "PowerShell for Penetration Testers" at:
NolaCon, New Orleans (June 10-11th) - https://nolacon.com/powershell-for-penetration-testers/
Hack In Paris, Paris (June 16-17th) - https://www.hackinparis.com/training-2015-powershell-for-penetration-testers
https://www.k33bz.com/blog/2015/05/06/rt-n1tr0g3n_com-dumping-user-passwords-in-plaint/
ReplyDelete