Recovering Clear Text Passwords – Updates

I recently wrote articles on both Mimikatz and WCE, two programs that can recover passwords from Windows based systems in clear text. There has been some updates for both and I just wanted to pass them along.

Mimikatz:

Benjamin Delpy aka ‘gentilkiwi‘, recently spoke at the Positive Hack Days security conference in Moscow. At the conference our friend discussed a new version of Mimikatz, one that exploits a weakness in the LiveSSP provider and allows the viewing of Windows Live passwords from Windows 8 systems!

The Mimikatz program and a copy of the PH Days presentation slides can be found at the Gentilkiwi website.

Windows Credentials Editor

When I wrote about WCE last, I noticed that for some reason the output didn’t seem right for accounts that did not have passwords. WCE seemed to mirror a password from another account when a password was not present.

Hernan from Amplia Security (creator of WCE) contacted me as soon as I posted the article. As fast as I could run some tests for him on my configuration, he created a fix for this. The delay between the original article and the fix was completely on me. Hernan was amazing!

In a test version he sent me, WCE correctly recovered and displayed both users with passwords and those without, as you can see in the screenshot below:

Secure_User has the insane password, the user George went the bad route and used his first name as a password, and Fred chose worse, as he used no password at all. And of course all three are administrator accounts. Good thing this is just a test Virtual Machine!  🙂

WCE can be obtained from Amplia Security.

The talent that both Benjamin and Hernan have is just amazing. Though I have dabbled with programming since I was a kid, (okay I suck at it!) these guys are just on a whole different level.

Thanks so much for your work!

Officials confirm, Stuxnet was a US-Israel Creation

We have met the creator of Stuxnet, and the creator is us…

US, Israel and European officials confirm that Stuxnet was part of an ever increasing program of computer attacks against Iran to slow or stop it’s nuclear ambitions.

According to an article on the New York Times:

From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program.

Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet.

Really no shocker here, most assumed that it was US and Israel backed. Now we know for sure. According to The Register, members of Israel’s ultra cool Unit 8200 and our cyber ninjas at the NSA worked together to create the cyberweapon Stuxnet.

The Times article hints that the cyber attacks were intended to slow down Iran’s progress on obtaining nuclear weapons and satiate Israel so they would not perform a physical strike, leading to an un-stabilized Middle East.

But what one has to ask, if they knew the attacks would only delay Iran from obtaining nukes, why do this at all? They seemed to be determined to obtain nuclear weapons. What would be gained by delaying them another year or so?

I am curious if this is why key members of Iran’s nuclear program are being and have been assassinated. Knowing that Stuxnet was only a temporary fix, someone (apparently Israel) is taking further steps to hamstring Iran’s nuclear ambitions.