Your Password Is… wait for it… NOT Always Encrypted
ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques.
As pentesters we LOVE passwords – they come in all shapes and sizes. A good password has 16+ characters and a mix of case, digits and special characters so that a computer would require many years to brute force it. Even though these passwords may be difficult to crack, it turns out that they are readily accessible and unencrypted when you know where to look. Using a password to login to a system may not seem like the sexiest of hacks, but we can provide great value to the customer by demonstrating to an organization just how easy it is to find and use passwords to do some serious damage in a pentest. Below is a brief description of some of the quick and easy ways that we harvest passwords to use during a penetration test – including screenshots so you can try this too! And remember that many users reuse their passwords so these harvested passwords may unlock other accounts as well. Oh – and if you really want to spoil our fun, implement two-factor authentication. It is one of the only ways to defeat (or at least slow down) this type of attack.
Mimikatz (Get it here)
Passwords must be stored in memory (RAM) on a computer so that the operating system is able to validate the password entered by a user. Since information stored in RAM looks something like this…
…. it is not straightforward to find which chunks of 1s and 0s represent a password. Thankfully some smart people have figured it out for us and created tools to extract passwords from this huge blob of data.
One of those tools is Mimikatz, created by Benjamin Delpy. It can be executed on a live Windows system, against an offline memory dump, or downloaded from a remote site and executed in memory only (very stealthy). Or, as is often the case in pentests, it can be executed via the ever popular Metasploit Meterpreter.
First, we’ll show you how to do this using a Meterpreter session setup between an external machine and an internal target. The Meterpreter command Mimikatz will extract and display the cleartext Windows passwords currently resident in the memory of the target machine. This may even include cached domain passwords.
Set up a listener that the target machine can connect back to.
Connect back to the listener.
Establish a meterpreter session.
Find the process ID of a process running as SYSTEM.
Migrate into the SYSTEM process.
Now, with the privileges of SYSTEM we can ask Meterpreter to read from memory using two simple commands: “load Mimikatz” and “wdigest” and it will dutifully return all the passwords it can find in memory.
Execute Mimikatz.
Using a standalone machine for this test with a dummy account we only see one account credential, but a domain connected machine may yield others.
Mimikatz can also be used against a memory dump, or more specifically, a memory dump of the process that manages access to a Windows system, lsass.exe. On a Windows Vista and later system you can use the built-in Task Manager to dump the process memory. On earlier systems you can use the tool procdump from Sysinternals. You do need administrator privilege for this operation because it reads from memory making this method a bit less useful during a pentest, but still a handy trick to know.
On newer versions of Windows use Task Manager to dump RAM.
Note where the file is saved.
On older Windows systems use procdump to dump RAM.
Then run Mimikatz and from its interface you again have just two simple commands to pull the passwords from the memory dump.
Load Mimikatz
Point Mimikatz at the dump file and ask for the passwords.
Next, let’s run Mimikatz right on the Windows workstation to extract the passwords that currently reside in memory. For this test, we are running a Windows 7 fully patched machine that is not joined to a domain.
First download the executable from here. If you have A/V running it will probably get upset about this download so you will have to allow/whitelist it.
Then just run Mimikatz from the command line and give a couple of commands as shown below.
Execute Mimikatz to extract passwords from a live system (as opposed to a memory dump).
Lastly, let’s use a single PowerShell command to download Mimikatz and run it in memory only (no file saved on disk) and dump the memory resident passwords. The PowerShell script used for this was created by Joseph Bialek and can be found here. To run this you will need to open an Administrator command prompt (right-click on cmd.exe and “Run as Administrator”). Then issue the command that fetches the PowerShell script from a web server and executes it as shown below.
Run a simple web server to serve up the PowerShell script.
Start up PowerShell, download and then invoke the Invoke-Mimikatz script.
Lazagne (Get it here)
Lazagne is a relatively new tool written by Alessandro Zanni that can dump many different passwords found on Windows and Linux/Unix machines. It is able to extract passwords from web applications that have been saved in browsers as well as mail clients, Wi-Fi configurations, databases, chat clients and more. If run with Administrator privilege it can also dump Windows password hashes, which can then be cracked or used in pass-the-hash type attacks.
Just run the executable (as Administrator for better results) to extract passwords
Windows Credential Editor – WCE (Get it here)
WCE is an older but still functional tool designed for system administrators to make password management a bit easier. But of course attackers and pentesters can use this tool, too. It must be run with Administrator privilege, again, not ideal in a pentest but sometimes still possible.
Windows Credential Editor dumps passwords from memory.
Group Policy Preferences – GPP
Up until fairly recently (May 2014 to be exact) there was a feature in Windows called Group Policy Preferences that allowed system administrators to create and manage local administrator accounts on the system under their charge. This is handy for busy admins because it allows password changes to be done remotely and in bulk. GPP stored configuration items like the local Administrator account passwords in a file on disk and the actual passwords were encrypted with good, strong AES encryption. The decryption key for the password was the same for all Windows installations and was accessible to anyone on the Microsoft website. This means that anyone with access to the GPP file could grab the key from Microsoft and decrypt the passwords contained in the file. Easy-peasy. Microsoft patched this in 2014 by removing the option to include password management via the GPP mechanism, however, any old GPP files that existed prior to the patch that were not removed may still contain valid administrator passwords. We regularly find such files during pentests, and surprisingly the passwords are often still valid!
You can obtain these passwords by finding the files where they are stored and then passing the encrypted strings to the Ruby script gpp-decrypt. There is also a Metasploit post-exploitation module gpp that will harvest and decrypt in one step. Both methods are demonstrated in the screenshots below.
Note that read access to these GPP XML files does NOT require elevated privileges.
Command to find files containing encrypted Administrator passwords.
Decrypt the passwords with a Ruby script found here.
Metasploit’s GPP module will harvest and decrypt the passwords.Hint: Once you know the local Admin credentials, use the Metasploit module smb_login to find out where else on the domain you might be able to use the account.Other ideas for easy winsHere are a few other tips that you just might get lucky with. Users (and computers) store passwords in some interesting places:
- Search public data breaches for your domain to find passwords or hashes that have been posted.
- Look for password files stored on users’ desktops.
- Check the contents of a user’s clipboard – it might just contain the last cut & paste password.
If you have other ideas for extracting cleartext passwords we would love to hear about them. Send an email to sally (at) blackhillsinfosec (dot com). Thanks!
References
- http://metasploit.com/modules/post/windows/gather/credentials/gpp
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
- http://www.ampliasecurity.com/research/windows-credentials-editor/
- www.metasploit.com
- https://github.com/gentilkiwi/releases/tag/2.0.0-alpha-20160112
- https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz
- https://download.sysinternals.com/files/Procdump.zip
- https://github.com/AlessandroZ/LaZagne
Ready to learn more?
Level up your skills with affordable classes from Antisyphon!
Available live/virtual and on-demand
DFIR_Zach
May 23, 2016 @ 11:07 am
Also to mention, using Volatility (mimikats plugin) against a live or dead box memory image will also give you the plaintext passwords of all users.
Sally
May 23, 2016 @ 12:08 pm
Good point DFIR_Zach! While not too common to find full ram images during a pentest…it could happen. As DFIR_Zach notes, Volatility also has incorporated a Mimikatz plugin to extract cleartext passwords from a full memory image. Volatility’s Mimikatz plugin could be tried on a live system as well if for some reason standalone Mimikatz could not be installed although it would require Python to be on the box. Thanks!