Recovering Remote Windows Passwords in Plain Text with WCE

I recently talked about recovering Windows passwords remotely in plain text using “Mimikatz”, but it is not the only program that will do it. One of my favorite security teachers, Professor Sam Bowne at City College of San Francisco, has released a tutorial on using the Windows Credentials Editor (WCE) to do the same thing.

I was following the tutorial and ran into a snag. On my backtrack machine my Metasploit Path is different, though we are using the same version of Backtrack (5r2). So the directories that are mentioned did not exist on my machine.

Basically I followed the tutorial step by step, but on my machine I had to do 2 things differently:

  • I needed to copy the wce.rb Ruby script into the “/opt/metasploit/msf3/scripts/meterpreter” directory.
  • Also, the wce-x86.exe (or wce-x64 if using 64 bit) into the “/opt/metasploit/msf3/data/post” directory.

I am not sure of why the paths are different, maybe because I was using the “Live” bootable version of Backtrack 5r2.

The tutorial functioned flawlessly after that. After obtaining a remote session using Backtrack’s Social Engineering Toolkit, I ran bypassuac to get System level authority and at the meterpreter prompt simply ran wce.rb:

Two strange things that I noticed was that the username for “Secure_User” was cut off, but the long complex password for the user was indeed correctly recovered. But the user “Fred” had no password on this test machine, and WCE mirrored the password for the “Secure_User” account.

Odd, but it did recover the password in plain text.

Mimikatz seems to do a better job at recovering passwords, but WCE is just as easy to use. Both offer other features and functions. I think I like both!

*** Update***

Hernan from Amplia Security (creator of WCE) contacted me as soon as I posted this article. As fast as I could run some tests for him, he created a fix for this.

In a test version he sent me, WCE correctly recovered and displayed both users with passwords and those without:

Thanks Hernan, awesome job!  🙂

6 thoughts on “Recovering Remote Windows Passwords in Plain Text with WCE”

  1. Hey Dan,

    Long time no see buddy. Sorry it’s been so long, but I’ve been rather busy!

    Great article and very interesting! Just thought I’d add since you noticed you had issues with the path for metasploit in BT5R2

    Depending on the version of BT5 you’re using Gnome or KDE. The path is either /opt/framework3/msf or /opt/framework/msf3.

    Not sure if this was intentional, but it can be a pain if you’re not expecting it or using a different version than the author writing a guide used. I usually just create a symbolic link to whichever path my install doesn’t have

    ln -s /real/path/to/msf /what/you/want/your/link/to/be

    This fixes some cross environment issues with many of the tools (SET has a few of these problems as well).

    Hope all is well with you!

    1. Dangertux!

      Thanks for the info, I really appreciate it. I have to admit, I know Linux as a second language, I am more fluent in my native Windows, lol!

      Miss ya buddy!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: