Windows 10 is here. Well... it's variety of been hither for some time, but it's fully rolled out directly too shortly nosotros volition commence to encounter company adoption. I, similar I'm certain many others out there, accept been playing amongst Windows 10 inward a virtual environs the concluding few weeks. My motivation has primarily been to empathize how the game has changed amongst abide by to my measure ready of tools. In this spider web log post nosotros volition solely travel discussing my findings inward relation to hash too plaintext password extraction.
We all know the value of windows password hashes too the fun they permit us accept via pass-the-hash attacks! If yous aren't aware, I strongly recommend looking inward to it. Now, I prefer having the actual password whenever possible, but hashes volition suffice if that is all I tin get. Naturally, I position a number of my commons suspects upward against Windows 10 to encounter how they would perform:
- mimkatz 2.0
- wce 1.42 beta
- fgdump 2.10
All testing was performed on Windows 10 Pro x64.
mimikatz 2.0 alpha x64 output
wce 1.42beta x64 output
fgdump 2.1.0 output
The results:
- mimkatz 2.0
- We tin dump hashes, but non plaintext passwords
- wce 1.42 beta
- Does non seem to dump hashes or plaintext passwords
- fgdump 2.10
- Works equally expected too dumps our hashes
In general, this isn't actually besides bad. We accept our hashes too nosotros tin either crevice those too purpose them inward pass-the-hash attacks... but no plaintext passwords? Boo!
I decided to poke to a greater extent than or less on the meshing too consult some friends to encounter if they had stumbled upon whatever interesting tools that are capable of dumping plaintext passwords on Windows 10. This is how I discovered a ready of tools created yesteryear Pierre-Alexandre Braeken called PowerMemory. Of detail involvement was a PowerShell script called Reveal Windows Memory Credentials (RWMC).
I grabbed the RWMC from github (link here) too threw it at my exam VM.
Note: You must commencement execute 'Set-ExecutionPolicy Unrestricted -force' inside PowerShell inward guild to allow the script's execution.
The next screenshots demonstrate how to purpose RWMC to dump plaintext passwords from a local Windows 10 Pro x64 machine, although they should non actually differ on whatever other Windows operating system.
Running RWMC
Interestingly, the tool advises that a registry primal was ready too a reboot is needed. I took a peak at the script to detect this:
Ah, hither nosotros tin encounter that a registry setting for storing credentials inward plaintext for the WDigest provider, is beingness ready to 1. I haven't mucked amongst whatever of the settings on this Windows 10 Pro install, therefore UseLogonCredential beingness ready to 0 must travel default deportment on Windows 10. After looking inward to the affair some more, this seems to travel the example at to the lowest degree going dorsum to Windows 8.1.
Let's crusade RWMC in 1 lawsuit more, subsequently the registry modification too reboot.
This looks better... too our results are:
Alright. So that worked - nice! RWMC has a number of other features including the mightiness to dump passwords remotely too to shout out upward passwords from dumps. More data tin travel found here.
The 1 thing that threw me off was having to reboot if the registry setting wasn't enabled. This tin travel quite an inconvenience, but I haven't establish a means to a greater extent than or less it amongst the express testing I accept performed.
But directly that nosotros accept the registry setting enabled, lets throw mimikatz at it in 1 lawsuit again too encounter what happens:
There nosotros accept it. Mimikatz is also directly able to dump the hashes without issue. Interestingly, inward my tests, WCE was notwithstanding failing.
It's to a greater extent than or less trouble concern equally usual:
- mimikatz
- enable the UseLogonCredentials registry setting
- RWMC
- enable the UseLogonCredentials registry setting
- WCE
- doesn't seem to travel all around, inward my quick tests anyways
- fgdump
- Works equally expected. No registry tweaks needed, but too then in 1 lawsuit again it's non interacting amongst WDigest.
Interestingly enough, Windows Defender did complain virtually the tools why they were beingness executed, but did non halt whatever of them from executing.
Thanks for reading,
-evasiv3