Remotely Recovering Windows Passwords in Plain Text

There has been a lot of buzz across the web the last few months about a program called “Mimikatz”. It is an interesting program that allows you to recover Windows passwords from a system in clear text. Why spend hours, days, or months trying to crack a complex password when you can just pull it from Windows memory as unencrypted text?

We have seen in the past that most Windows passwords less than 15 characters can be cracked in just a few seconds if the attacker can get the Windows Hashes. This is due to the fact that Windows stores these passwords in an easy to crack LM hash. An old encryption used for backwards compatibility. Microsoft allows you to disable the older LM Hash, but as Mike Pilkington discusses on the SANS blog, Microsoft still creates the hash and stores it in memory.

No big deal, just make your passwords 15 characters or greater and problem solved. The LM hash will not be created, only the more secure NTLM hash. Well, not so fast. It seems that the LM hash is not the only version of the passwords Windows keeps in memory, it also keeps a copy of the passwords in plain text.

Which you can even recover remotely… has a great article explaining how to use Mimikatz to recover remote passwords. In this example, I used the website Java attack through the Social Engineering Toolkit (SET) to obtain a remote shell. First thing you will want to do is download Mimikatz and place the files you need (Windows 32 or 64 bit) in a directory on your Backtrack system. Then run SET and pick the website java attack option.

After the target system surfs to our SET webpage and allows the Java code to run, we get a remote shell. After we connect to the created session, we will need to elevate our authority level. We need System level privileges for Mimikatz to work properly, so the first thing to do is run the Bypass UAC script in Meterpreter, and then connect to the newly created session, in this instance session 3:

Now all we need to do is create a directory on the target system and copy the Mimikatz files up to it:

Now we need to drop to a command shell and run “Mimikatz”.

You will now be in the Mimikatz program console and need to enter the commands “privilege::debug” and then “inject::process lsass.exe sekurlsa.dll”:

If you get an error at this point (Yeah I know, it is all in French), you probably don’t have System level authority.

Okay, if all went well, you need to run one last command, “@getLogonPasswords”:

And that is it! The passwords for anyone who has logged onto this machine will be displayed in plain text. From the picture above you can see two users:

Username: Fred
Password: password

Okay, not a complex (or smart) password, but look at the other user:

Username: Secure_User
Password: CvM*901D0?#(Fg[“MNoP43!Ta$cv2%

Wow, wouldn’t want to have to type that one in every day. That is a 30 character password and Mimikatz recovered and displayed it in plain text with no need to decrypt or crack.

The moral of this story boys and girls is to not allow scripts or programs to run from websites that you do not know or trust. Run a browser script blocking program like NoScript. Also, do not allow your Windows 7 users to use Administrator level accounts. Drop them down to User accounts for their everyday usage.

As always, do not access systems that you do not have permission to do so. And always do your penetration testing learning on test machines and not on live production systems.


16 thoughts on “Remotely Recovering Windows Passwords in Plain Text”

  1. Hi, I am sure you are really busy, but I do have a question about this subject. First of all, I am an ordinary woman, who uses my computer mainly for facebook, and, and email, and doing my household budget etc. I am not a cyber dating or gaming person. I am also, only familiar with the computer that I have learned from trial and error, mostly error. LOL…needless to say, I know a lot about a little. Which means I really don’t know if I am working safely or not.. We hear so many scary stories on the TV etc. I run McAffee virus program, and I even get confused with all the things on the computer that say. “Is your computer running slow” “We will check it for free”, then they said it is filled with all these problems that “they can fix for me” for Only a small fee of “who knows how much etc.” But my question is, if I have my virus program running and so forth, why do I need all these other things to ‘check my computer” etc..

    Is there an online class anywhere to teach people like me, some practical understanding of how to use my computer, and what to do for maintaining it nicely, so it could maybe last for a while? Also to teach me how to do the things you are talking about in that story about cracking the password codes etc. so I understand it?

    Thank you, respecfully, sara.

    1. Hi Sara, thank you so much for your excellent comment!

      I talk with my family members about this all the time. It is all so very confusing – you have legit software vendors trying to sell you things you don’t really need, then when installed, ask you a lot of questions assuming everyone is a computer expert in their spare time. Then compounding this, you have hackers that make their services look legit and try to hype or scare you into running them.

      Basically, what I tell my family is this:

      * You need a firewall, especially if you are on a high speed connection
      * If you are using a wireless connection make sure WPA2 security is enabled
      * Allow Windows to download and install updates automatically
      * Allow Java/ Adobe flash & Reader to update automatically
      * Run an AntiVirus – Internet security program and keep it updated
      * Keep your internet browser up to date
      * Use NoScript, don’t allow programs to run from unknown websites
      * Be wary of attachments and links in unsolicited e-mails
      * Surf safely!

      The last point is probably the most important, especially for a home user. Unless you work for a “high value” target (Government, DoD, Research) the chances that a hacker would specifically target you at home is low. The threat then would be spam e-mails, rogue apps and malicious websites. I usually recommend friends use name brand, well known websites – YouTube for videos, Amazon/ B&N for books, etc. Avoid “free” download sites that offer copyrighted material.

      If you have kids, let them know what websites are safe for them to visit. Most viruses that I have dealt with recently were from kids that were looking for free music downloads and movies:

      Just like in real life, be careful. Nobody really gives things away for free, and if it is too good to be true it probably is. 🙂

      Sorry about the long reply, but I hope this helps. If you have any questions at all, feel free to contact me at

    1. I think the UACBypass module was just updated a couple weeks ago. I haven’t tried it yet, but from what I heard it should still work. Have you tried running msfupdate to get the latest modules?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: