Your Password Is… wait for it… NOT Always Encrypted

Mimikatz (Get it here)

Passwords must be stored in memory (RAM) on a computer so that the operating system is able to validate the password entered by a user.  Since information stored in RAM looks something like this…

…. it is not straightforward to find which chunks of 1s and 0s represent a password.  Thankfully some smart people have figured it out for us and created tools to extract passwords from this huge blob of data.

One of those tools is Mimikatz, created by Benjamin Delpy. It can be executed on a live Windows system, against an offline memory dump, or downloaded from a remote site and executed in memory only (very stealthy). Or, as is often the case in pentests, it can be executed via the ever popular Metasploit Meterpreter.

First, we’ll show you how to do this using a Meterpreter session setup between an external machine and an internal target. The Meterpreter command Mimikatz will extract and display the cleartext Windows passwords currently resident in the memory of the target machine.  This may even include cached domain passwords.

 Set up a listener that the target machine can connect back to.

Connect back to the listener.

Establish a meterpreter session.

 Find the process ID of a process running as SYSTEM.

Migrate into the SYSTEM process.

Now, with the privileges of SYSTEM we can ask Meterpreter to read from memory using two simple commands: “load Mimikatz” and “wdigest” and it will dutifully return all the passwords it can find in memory.

Execute Mimikatz.

Using a standalone machine for this test with a dummy account we only see one account credential, but a domain connected machine may yield others.

Mimikatz can also be used against a memory dump, or more specifically, a memory dump of the process that manages access to a Windows system, lsass.exe.  On a Windows Vista and later system you can use the built-in Task Manager to dump the process memory.  On earlier systems you can use the tool procdump fromSysinternals.  You do need administrator privilege for this operation because it reads from memory making this method a bit less useful during a pentest, but still a handy trick to know.

 On newer versions of Windows use Task Manager to dump RAM.

Note where the file is saved.

On older Windows systems use procdump to dump RAM.

Then run Mimikatz and from its interface you again have just two simple commands to pull the passwords from the memory dump.

Load Mimikatz

Point Mimikatz at the dump file and ask for the passwords.

Next, let’s run Mimikatz right on the Windows workstation to extract the passwords that currently reside in memory.  For this test, we are running a Windows 7 fully patched machine that is not joined to a domain.

First download the executable from here.  If you have A/V running it will probably get upset about this download so you will have to allow/whitelist it.

Then just run Mimikatz from the command line and give a couple of commands as shown below.

Execute Mimikatz to extract passwords from a live system (as opposed to a memory dump).

Lastly, let’s use a single PowerShell command to download Mimikatz and run it in memory only (no file saved on disk) and dump the memory resident passwords.  The PowerShell script used for this was created by Joseph Bialek and can be found here.  To run this you will need to open an Administrator command prompt (right-click on cmd.exe and “Run as Administrator”).  Then issue the command that fetches the PowerShell script from a web server and executes it as shown below.

 Run a simple web server to serve up the PowerShell script.

 Start up PowerShell, download and then invoke the Invoke-Mimikatz script.

 Lazagne (Get it here)

Lazagne is a relatively new tool written by Alessandro Zanni that can dump many different passwords found on Windows and Linux/Unix machines.  It is able to extract passwords from web applications that have been saved in browsers as well as mail clients, Wi-Fi configurations, databases, chat clients and more.  If run with Administrator privilege it can also dump Windows password hashes, which can then be cracked or used in pass-the-hash type attacks.

 Just run the executable (as Administrator for better results) to extract passwords

Windows Credential Editor – WCE (Get it here)

WCE is an older but still functional tool designed for system administrators to make password management a bit easier. But of course attackers and pentesters can use this tool, too. It must be run with Administrator privilege, again, not ideal in a pentest but sometimes still possible.

Windows Credential Editor dumps passwords from memory.

Group Policy Preferences – GPP

Up until fairly recently (May 2014 to be exact) there was a feature in Windows called Group Policy Preferences that allowed system administrators to create and manage local administrator accounts on the system under their charge.  This is handy for busy admins because it allows password changes to be done remotely and in bulk.   GPP stored configuration items like the local Administrator account passwords in a file on disk and the actual passwords were encrypted with good, strong AES encryption.  The decryption key for the password was the same for all Windows installations and was accessible to anyone on the Microsoft website.  This means that anyone with access to the GPP file could grab the key from Microsoft and decrypt the passwords contained in the file.  Easy-peasy.  Microsoft patched this in 2014 by removing the option to include password management via the GPP mechanism, however, any old GPP files that existed prior to the patch that were not removed may still contain valid administrator passwords.  We regularly find such files during pentests, and surprisingly the passwords are often still valid!

You can obtain these passwords by finding the files where they are stored and then passing the encrypted strings to the Ruby script gpp-decrypt.  There is also a Metasploit post-exploitation module gpp that will harvest and decrypt in one step.  Both methods are demonstrated in the screenshots below.

Note that read access to these GPP XML files does NOT require elevated privileges.

Command to find files containing encrypted Administrator passwords.

 Decrypt the passwords with a Ruby script found here.

Metasploit’s GPP module will harvest and decrypt the passwords.Hint: Once you know the local Admin credentials, use the Metasploit module smb_login to find out where else on the domain you might be able to use the account.Other ideas for easy winsHere are a few other tips that you just might get lucky with.  Users (and computers) store passwords in some interesting places:

  • Search public data breaches for your domain to find passwords or hashes that have been posted.
  • Look for password files stored on users’ desktops.
  • Check the contents of a user’s clipboard – it might just contain the last cut & paste password.

If you have other ideas for extracting cleartext passwords we would love to hear about them.  Send an email to sally (at) blackhillsinfosec (dot com).  Thanks!