Remotely Recovering Windows Passwords in Plain Text

There has been a lot of buzz across the web the last few months about a program called “Mimikatz”. It is an interesting program that allows you to recover Windows passwords from a system in clear text. Why spend hours, days, or months trying to crack a complex password when you can just pull it from Windows memory as unencrypted text?

We have seen in the past that most Windows passwords less than 15 characters can be cracked in just a few seconds if the attacker can get the Windows Hashes. This is due to the fact that Windows stores these passwords in an easy to crack LM hash. An old encryption used for backwards compatibility. Microsoft allows you to disable the older LM Hash, but as Mike Pilkington discusses on the SANS blog, Microsoft still creates the hash and stores it in memory.

No big deal, just make your passwords 15 characters or greater and problem solved. The LM hash will not be created, only the more secure NTLM hash. Well, not so fast. It seems that the LM hash is not the only version of the passwords Windows keeps in memory, it also keeps a copy of the passwords in plain text.

Which you can even recover remotely…

Pauldotcom.com has a great article explaining how to use Mimikatz to recover remote passwords. In this example, I used the website Java attack through the Social Engineering Toolkit (SET) to obtain a remote shell. First thing you will want to do is download Mimikatz and place the files you need (Windows 32 or 64 bit) in a directory on your Backtrack system. Then run SET and pick the website java attack option.

After the target system surfs to our SET webpage and allows the Java code to run, we get a remote shell. After we connect to the created session, we will need to elevate our authority level. We need System level privileges for Mimikatz to work properly, so the first thing to do is run the Bypass UAC script in Meterpreter, and then connect to the newly created session, in this instance session 3:

Now all we need to do is create a directory on the target system and copy the Mimikatz files up to it:

Now we need to drop to a command shell and run “Mimikatz”.

You will now be in the Mimikatz program console and need to enter the commands “privilege::debug” and then “inject::process lsass.exe sekurlsa.dll”:

If you get an error at this point (Yeah I know, it is all in French), you probably don’t have System level authority.

Okay, if all went well, you need to run one last command, “@getLogonPasswords”:

And that is it! The passwords for anyone who has logged onto this machine will be displayed in plain text. From the picture above you can see two users:

Username: Fred
Password: password

Okay, not a complex (or smart) password, but look at the other user:

Username: Secure_User
Password: CvM*901D0?#(Fg[“MNoP43!Ta$cv2%

Wow, wouldn’t want to have to type that one in every day. That is a 30 character password and Mimikatz recovered and displayed it in plain text with no need to decrypt or crack.

The moral of this story boys and girls is to not allow scripts or programs to run from websites that you do not know or trust. Run a browser script blocking program like NoScript. Also, do not allow your Windows 7 users to use Administrator level accounts. Drop them down to User accounts for their everyday usage.

As always, do not access systems that you do not have permission to do so. And always do your penetration testing learning on test machines and not on live production systems.

LM Hash flaw: Windows Passwords Under 15 Characters Easy to Crack

Solid State Drive (SSD) based cracking programs have really been a hot topic over the past few years. They are fast, very fast. I did an article a while back on using SSD based look up tables to crack 14 character Windows passwords in 5 seconds.

The blazing speed is possible because of the characteristics of the LM based password hashes that Windows stores along with the stronger NTLM based hashes. The LM based hashes can be cracked with SSD based tables in about 5 seconds. The NTLM version of the password hash is more secure and can take significant time to crack. The solution then is simple, disable LM password hashing.

Sounds simple doesn’t it? Well, the problem is, it doesn’t work. Even when you tell Windows to not store the less secure LM hash of the password, it still does.

Mike Pilkington posted an exceptional article today on this at the SANS Computer Forensics Blog. In his article, “Protecting Privileged Domain Accounts: LM Hashes — The Good, the Bad, and the Ugly“, Mike shows that even when Windows policy is set to disable LM hashes, the hashes are still created!

The interesting thing is that the lower security hashes are not present on the SAM stored on the hard drive. But when the security accounts are loaded into active RAM, Windows re-creates the LM hashes!

According to Mike’s article, the LM Hash can be pulled from active RAM using the Windows Credential Editor (WCE).

What is the solution then? Make your passwords at least 15 characters! The LM Hash only supports passwords of 14 characters or less, so if your password is over 14 characters, Windows can not create the less secure hash.

Why would Windows do this? Some older programs still use LM based security, so most likely Windows creates it even when you tell it not to for backwards compatibility.

For more information, check out Mike’s article.