Recovering Clear Text Passwords – Updates

I recently wrote articles on both Mimikatz and WCE, two programs that can recover passwords from Windows based systems in clear text. There has been some updates for both and I just wanted to pass them along.


Benjamin Delpy aka ‘gentilkiwi‘, recently spoke at the Positive Hack Days security conference in Moscow. At the conference our friend discussed a new version of Mimikatz, one that exploits a weakness in the LiveSSP provider and allows the viewing of Windows Live passwords from Windows 8 systems!

The Mimikatz program and a copy of the PH Days presentation slides can be found at the Gentilkiwi website.

Windows Credentials Editor

When I wrote about WCE last, I noticed that for some reason the output didn’t seem right for accounts that did not have passwords. WCE seemed to mirror a password from another account when a password was not present.

Hernan from Amplia Security (creator of WCE) contacted me as soon as I posted the article. As fast as I could run some tests for him on my configuration, he created a fix for this. The delay between the original article and the fix was completely on me. Hernan was amazing!

In a test version he sent me, WCE correctly recovered and displayed both users with passwords and those without, as you can see in the screenshot below:

Secure_User has the insane password, the user George went the bad route and used his first name as a password, and Fred chose worse, as he used no password at all. And of course all three are administrator accounts. Good thing this is just a test Virtual Machine!  🙂

WCE can be obtained from Amplia Security.

The talent that both Benjamin and Hernan have is just amazing. Though I have dabbled with programming since I was a kid, (okay I suck at it!) these guys are just on a whole different level.

Thanks so much for your work!

Hakin9 Exploiting Software, May Issue – Buffer Overflow

Hakin9 IT Security Magazine has just released it’s May issue of Exploiting Software “Buffer Overflow“.

This month’s magazine features the article “Recovering Passwords and Encrypted Data Remotely in Plain Text” written by yours truly. In this article, I talk about recovering remote Windows passwords in plain text using both Mimikatz and WCE.

I also talk about the dangers that online attacks can present to file encryption. I show how a Java based online attack can easily bypass and recover encrypted files without encryption. Even thought a file was protected by whole disk encryption and the file itself was encrypted by a separate program, I was easily able to remotely read and download the file with no problems.

Craig Wright also continues his excellent series with an article on Extending Control, API Hooking. API hooking the malicious code is used to vary the library function calls and returns by replacing the valid function calls with one of the attackers choosing. The article follows from previous articles as well as goes into some of the fundamentals that you will need in order to understand the shellcode creation process, how to use Python as a launch platform for your shellcode and that the various system components are.

This article includes a section on functions and calls, extending DLL injection and then move to the actual API hooking process (that we will extend) in coming articles. With these skills you will have the foundations for creating shellcode for exploits and hence an understanding of the process that penetration testers and hackers use in exploiting systems. You will see how it is possible to either create your own exploit code from scratch or even to modify existing exploit code to either add functionality or in order to bypass signature based IDS/IPS filters

Also in this issue:

  • The Basics Of Buffer Overflow, Fuzzing and Exploitation By Richer Dinelle
  • Exploit a Software with Buffer Overflow Vulnerability and Bypassing ASLR Protection By Ahmed Sherif El-Demrdash
  • Danger of Man in the Middle Attacks to Modern Life By Wong Chon Kit
  • E-mail Spam Filtering and Natural Language Processing By Yufan Guo
  • Security Communication and Why You Should Trundle By Dean Bushmiller
  • Overriding Function Calls in Linux By Umair Manzoor

Check it out!

Recovering Remote Windows Passwords in Plain Text with WCE

I recently talked about recovering Windows passwords remotely in plain text using “Mimikatz”, but it is not the only program that will do it. One of my favorite security teachers, Professor Sam Bowne at City College of San Francisco, has released a tutorial on using the Windows Credentials Editor (WCE) to do the same thing.

I was following the tutorial and ran into a snag. On my backtrack machine my Metasploit Path is different, though we are using the same version of Backtrack (5r2). So the directories that are mentioned did not exist on my machine.

Basically I followed the tutorial step by step, but on my machine I had to do 2 things differently:

  • I needed to copy the wce.rb Ruby script into the “/opt/metasploit/msf3/scripts/meterpreter” directory.
  • Also, the wce-x86.exe (or wce-x64 if using 64 bit) into the “/opt/metasploit/msf3/data/post” directory.

I am not sure of why the paths are different, maybe because I was using the “Live” bootable version of Backtrack 5r2.

The tutorial functioned flawlessly after that. After obtaining a remote session using Backtrack’s Social Engineering Toolkit, I ran bypassuac to get System level authority and at the meterpreter prompt simply ran wce.rb:

Two strange things that I noticed was that the username for “Secure_User” was cut off, but the long complex password for the user was indeed correctly recovered. But the user “Fred” had no password on this test machine, and WCE mirrored the password for the “Secure_User” account.

Odd, but it did recover the password in plain text.

Mimikatz seems to do a better job at recovering passwords, but WCE is just as easy to use. Both offer other features and functions. I think I like both!

*** Update***

Hernan from Amplia Security (creator of WCE) contacted me as soon as I posted this article. As fast as I could run some tests for him, he created a fix for this.

In a test version he sent me, WCE correctly recovered and displayed both users with passwords and those without:

Thanks Hernan, awesome job!  🙂