I recently talked about recovering Windows passwords remotely in plain text using “Mimikatz”, but it is not the only program that will do it. One of my favorite security teachers, Professor Sam Bowne at City College of San Francisco, has released a tutorial on using the Windows Credentials Editor (WCE) to do the same thing.
I was following the tutorial and ran into a snag. On my backtrack machine my Metasploit Path is different, though we are using the same version of Backtrack (5r2). So the directories that are mentioned did not exist on my machine.
Basically I followed the tutorial step by step, but on my machine I had to do 2 things differently:
- I needed to copy the wce.rb Ruby script into the “/opt/metasploit/msf3/scripts/meterpreter” directory.
- Also, the wce-x86.exe (or wce-x64 if using 64 bit) into the “/opt/metasploit/msf3/data/post” directory.
I am not sure of why the paths are different, maybe because I was using the “Live” bootable version of Backtrack 5r2.
The tutorial functioned flawlessly after that. After obtaining a remote session using Backtrack’s Social Engineering Toolkit, I ran bypassuac to get System level authority and at the meterpreter prompt simply ran wce.rb:
Two strange things that I noticed was that the username for “Secure_User” was cut off, but the long complex password for the user was indeed correctly recovered. But the user “Fred” had no password on this test machine, and WCE mirrored the password for the “Secure_User” account.
Odd, but it did recover the password in plain text.
Mimikatz seems to do a better job at recovering passwords, but WCE is just as easy to use. Both offer other features and functions. I think I like both!
Hernan from Amplia Security (creator of WCE) contacted me as soon as I posted this article. As fast as I could run some tests for him, he created a fix for this.
In a test version he sent me, WCE correctly recovered and displayed both users with passwords and those without:
Thanks Hernan, awesome job! 🙂