Windows 8 Clear Text Passwords from Locked Desktop with Mimikatz
As a penetration tester, how cool would it be (if you had physical access to a system) to be able to grab the passwords off of a Windows system that was sitting at a locked login prompt? And what if you could get these passwords in plain text?
Well, you can!
I’ve been playing around with Mimikatz again. If you haven’t heard about Mimikatz, it is the amazing program made by Gentil Kiwi that amongst other things has the ability to pull plain text passwords from systems. All you need to do is run the Mimikatz program on the target system and it pulls user information from memory that is normally encrypted and displays it as unencrypted text!
I have shown how to use Mimikatz to pull passwords from a remote machine before, so that is nothing new. And yes, Mimikatz works on Windows 8, and has since pre-release versions of the new OS. But what I was wondering, what if you were a penetration tester that had physical access to a system, could you get passwords off of it from a locked Desktop? You know, an admin or user is using the system and dutifully locks his workstation before leaving for lunch.
If you have physical access to the system, this can be done.
First you need to be able to enable the system level command prompt from the login screen. Called the “Utilman Login Bypass” trick, this enables a pop-up system level prompt by just pressing the “Windows” and “u” key on the keyboard.
Now all we need is a USB drive with Mimikatz installed:
Pick the 32 or 64 bit version, depending on your target OS.
(If you pick the wrong version, Mimikatz still runs, but gives error messages when trying to inject the following .dll file)
Once into the Mimikatz system, you need to run the privilege::debug and inject::process commands as follows:
Okay, if all went well, you need to run one last command, “@getLogonPasswords”:
As you can see it pulled the name of the currently logged in user, “fred” and gives you a dump of the password hashes. These could be used in “Pass the Hash” type attacks to get access to other systems. Or if we want, we can take the LM password hash “3afb772db105b0c8aad3b435b51404ee” and run it through an online password cracker:
The online cracker decodes the LM hash and gives us the user password (in all caps) of FRED.
But there is really no need to try to decode the password hashes, as if you just look at the Mimikatz line below the password hashes you will see the ACTUAL password in plain text (“Fred” in this case).
And as Gentil Kiwi told me once, many Windows 8 Login passwords double as their e-mail passwords. Well, you get the idea…
As I mentioned earlier, you would need to have physical access to the machine, especially to set up the initial Utilman Login Bypass. And again to run Mimikatz. Last time I checked, the login bypass worked on all of Microsoft’s Operating Systems (including Server) so making sure your systems are physically secure is of utmost importance.
If no-one has logged onto the system yet, there are no passwords in memory for Mimikatz to pull. Shut down your system if you will be away for extended times, and install a Power on Password to protect the boot process from being tampered with.
In this demo I used Mimikatz to grab the user’s password, but I could have used it to pull files off of the system, or place my own files onto the computer. Turn off or disable USB ports if unneeded. Some government organizations fill them with glue!
Windows 8 security is much better than Windows 7. It has several new features that help secure it against attacks that worked on the older OS. But physical access attacks still work, and systems need to be hardened to protect against them.
*** Update ***
Just heard from our world traveling friend Gentil Kiwi. He told me, gently, that I was doing it wrong. 🙂
Well, maybe not necessarily wrong, but I am using too many steps that aren’t needed anymore. He has developed a new process that has made it easier, check it out:
Just for your information, your case does not need sekurlsa.dll and DLL injection anymore.
Just use : sekurlsa::logonPasswords or sekurlsa::logonPasswords full
Even “privilege::debug” not needed in your case, because you’re already SYSTEM
Thanks Benjamin, I really appreciate it buddy!