There has been a lot of buzz across the web the last few months about a program called “Mimikatz”. It is an interesting program that allows you to recover Windows passwords from a system in clear text. Why spend hours, days, or months trying to crack a complex password when you can just pull it from Windows memory as unencrypted text?
We have seen in the past that most Windows passwords less than 15 characters can be cracked in just a few seconds if the attacker can get the Windows Hashes. This is due to the fact that Windows stores these passwords in an easy to crack LM hash. An old encryption used for backwards compatibility. Microsoft allows you to disable the older LM Hash, but as Mike Pilkington discusses on the SANS blog, Microsoft still creates the hash and stores it in memory.
No big deal, just make your passwords 15 characters or greater and problem solved. The LM hash will not be created, only the more secure NTLM hash. Well, not so fast. It seems that the LM hash is not the only version of the passwords Windows keeps in memory, it also keeps a copy of the passwords in plain text.
Which you can even recover remotely…
Pauldotcom.com has a great article explaining how to use Mimikatz to recover remote passwords. In this example, I used the website Java attack through the Social Engineering Toolkit (SET) to obtain a remote shell. First thing you will want to do is download Mimikatz and place the files you need (Windows 32 or 64 bit) in a directory on your Backtrack system. Then run SET and pick the website java attack option.
After the target system surfs to our SET webpage and allows the Java code to run, we get a remote shell. After we connect to the created session, we will need to elevate our authority level. We need System level privileges for Mimikatz to work properly, so the first thing to do is run the Bypass UAC script in Meterpreter, and then connect to the newly created session, in this instance session 3:
Now all we need to do is create a directory on the target system and copy the Mimikatz files up to it:
Now we need to drop to a command shell and run “Mimikatz”.
You will now be in the Mimikatz program console and need to enter the commands “privilege::debug” and then “inject::process lsass.exe sekurlsa.dll”:
If you get an error at this point (Yeah I know, it is all in French), you probably don’t have System level authority.
Okay, if all went well, you need to run one last command, “@getLogonPasswords”:
And that is it! The passwords for anyone who has logged onto this machine will be displayed in plain text. From the picture above you can see two users:
Okay, not a complex (or smart) password, but look at the other user:
Wow, wouldn’t want to have to type that one in every day. That is a 30 character password and Mimikatz recovered and displayed it in plain text with no need to decrypt or crack.
The moral of this story boys and girls is to not allow scripts or programs to run from websites that you do not know or trust. Run a browser script blocking program like NoScript. Also, do not allow your Windows 7 users to use Administrator level accounts. Drop them down to User accounts for their everyday usage.
As always, do not access systems that you do not have permission to do so. And always do your penetration testing learning on test machines and not on live production systems.
Are you using the password “password” or “123456”? If so congratulations! You are using one of the top two worst and easiest to guess passwords on the internet!
Splashdata creates an annual list of the worst passwords to use on the net and here are the top 10 for 2011:
If you are using any of these or the other 15, change them now.
This is very interesting, but how does this compare to lists that have been released from actual hacker attacks? Surely no one would use ‘password’ or ‘123456’ as a password in real life. Or would they?
Last year the Wall Street Journal released a list of the top 50 passwords pulled from the Gawker Media hack. Gawker Media runs numerous websites including the popular Lifehacker, and Gizmodo sites. The hackers publicly posted a list of user names, e-mail addresses, and you guessed it, passwords.
The top 10?
And if we expand the Gawker password list to include 12 – 14 we also get:
Do you see any passwords that match between those two lists? How about most of them…
The majority of these make sense, common keys next to each other, and common phrases, but what is up with “monkey” and “dragon”?
The best bet when creating a strong password is to use a long complex sequence of upper and lowercase letters, numbers and symbols. Something like:
Also, don’t use the same password for several sites, or use your work passwords at home. Using complex passwords will go a long way in securing your online activities.
I had to laugh at the SANS security tip for the day, “Don’t share your password-even with an assistant or close coworker“. It brought back some interesting memories.
For about 17 years I have provided onsite technical support for financial companies, healthcare facilities, government offices, law enforcement, and technology companies.
Many times we would be involved with system upgrades, software upgrades or trouble shooting and needed access to a computer where the user was not there.
Countless times over the years, helpful co-workers who, seeing that I was stuck at a login prompt approached and offered me the missing user’s password. No questions asked about who I was, or what I was doing.
Just, “Oh, Fred is out today, he keeps his password taped to the bottom of his chair next to the gum”. Or, “Joan keeps her passwords in a notebook in her top right drawer, next to the payroll data, I’ll get the key”. (Names changed to protect the innocent)
Okay, those were hypothetical examples, but the funniest I can remember that actually happened was in an Engineering department of a large manufacturing company. The user was out on vacation, but that didn’t stop the helpful co-workers. “Oh he uses this name and then just adds random numbers at the end”, said the engineer that sat in the same office.
“No”, another engineer said as he was walking by, “He does use that name, but he uses an incremental number afterwards, starting with one and increments it each time he has to change his password. He is at 10 now”.
“No I think he is at 8 now, another Engineer said as he walked into the office.” “No, that was a few months ago”, the second engineer said. “Just ask Mark, he would know…” So another engineer comes in and says, “thirteen, he was definitely at thirteen.”
It seemed like everyone in the area knew something about the missing user’s password. I was also amazed at how well sound seemed to travel in this department, as there were now four engineers standing in the little office.
I asked the user about this the next day when he was back from vacation. “Oh, I let everyone use my computer.” I had a replacement hard drive for the machine and asked if he had any data on the drive he needed saved. “Oh, goodness yes, I have a lot of CAD drawings I saved locally, important e-mails and also personal files on there…”
Most corporate security policies and regulations nowadays require you to keep your password confidential. But many users don’t. In the SANS tip of the day, a disgruntled worker who knew the password of another user deleted data from the PC before she quit.
I have also heard of cases where people walked away from PC’s while they were logged in and another user came along and used the computer to access restricted information.
What can be done to avoid these kinds of issues? Verify the authenticity of support personal before giving them your password. Do not share your password with co-workers, or place your password in obvious places, like a sticky note on your monitor or under your keyboard. Also, lock your workstation before you walk away from it even if you think you will only be gone for a short while.
On most Windows systems you can lock the system by hitting the Windows key and the “L” key at the same time. This will bring up a login box, but keep your programs running in the background. If this does not work on your system, log out of any confidential systems or sign off the system completely. Whichever procedures your company security policy recommends.