In this article, written as a part of a series devoted to Windows systems security (in the last article we discussed the security issues of passwords stored in the GPP), we will learn quite a simple method to get unencrypted passwords of all the users working in a Windows system.
[tab title=”Contents of this article”]
The most of system administrators are sure that Windows does not store plain text user passwords, but their hashes instead. Though today there are a lot of tools able to extract password hashes from a system, it is safe to say that using a quite complicated password, not from a vocabulary, makes it almost impossible for a hacker to get it by a brute force or with a base of calculated hashes.
In fact, it is true, but there are different nuances related to the users logged in the system. The matter is that some system processes use unencrypted (or encrypted) passwords, not their hashes, in their service purposes.
For instance, HTTP Digest Authentication used to support SSO (Single Sign On) needs the user password along with its hash. Encrypted user passwords (passwords, instead of their hashes) are stored in the OS memory, and if to be more specific, in LSASS.EXE process. The problem is that password encryption is implemented with the standard Win32 functions LsaProtectMemory and LsaUnprotectMemory, which are used to encrypt/decrypt of some memory section. A tool of French developers mimikatz allows to obtain the encrypted data from the memory and decrypt them using LsaUnprotectMemory function and to display all accounts of users authorized in the system and their passwords (decrypted, plain text!).
You can download mimikatz here: http://blog.gentilkiwi.com/mimikatz
Mimikatz allows to extract user passwords directly from the memory or from the memory dump of the PC.
How to Extract User Passwords from lsass.exe Online
- Download and run Mimikatz.exe (there are x86 and x64 versions for the corresponding systems)
- Run the following commands in the tool
mimikatz # privilege::debug mimikatz # sekurlsa::logonPasswords full
As you can see, the tool has shown us the password of the user with the name user.
How to Get a User Password from Windows Memory Dump
The memory dump of the LSASS process can be obtained with Out-Minidump.ps1 function in PowerShell. Import Out-Minidump function into PoSh and create a memory dump of LSASS process:
Get-Process lsass | Out-Minidump
The memory dump, in our example it is lsass_562.dmp (by default, it is saved in %windir%\system32 directory), has to be copied to another system with mimikatz and the following command should be run:
Mimikatz “sekurlsa::minidump lsass_592.dmp”
The next command provides the list of users working in the system and their plaintext passwords:
mimikatz # sekurlsa::logonPasswords
As you can see, it’s easy.
How to Get Passwords from Virtual Machine and Hibernation Files
Let’s move on. With some simple steps, a hacker can easily extract user passwords from the memory dump files, system hibernation files and virtual machine files .vmem (virtual machine page files and their snapshots).
To do it, you need the Debugging Tool for Windows (WinDbg) package, mimikatz itself and a utility to convert .vmem into a memory dump file (in Hyper-V, it can be vm2dmp.exe or MoonSols Windows Memory toolkit for VMWare vmem-files).
For example, to convert a vmem page file of a VMWare virtual machine into a dump, run this command:
bin2dmp.exe "wsrv2008r2-1.vmem" vmware.dmp
Import the dump into WinDbg (File -> Open Crash Dump), load the mimikatz library under the name mimilib.dll (choose the version according to the bitness of the system):
Find lsass.exe process in the dump:
!process 0 0 lsass.exe
And finally, type
.process /r /p fffffa800e0b3b30 !mimikatz
It is possible to get unencrypted passwords of Windows users with Mimikatz in the following systems, including those run in different versions of Hyper-V 2008/2012 and VMWare hypervisors:
- Windows Server 2008 / 2008 R2
- Windows Server 2012/ R2
- Windows 7
- Windows 8
Can I Protect Myself From Acquiring My Password Via mimikatz?
As a temporary solution you can disable wdigest security provider in the registry. To do it, find Security Packages key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and delete the line wdigest from the list of packages.
However, it should be understood that the hacker having the corresponding rights for the registry can easily change the settings back.
- Don’t use the same passwords for different services (especially, terminal ones, belonging to the third parties).
- Think about the security of your passwords and data on the virtual machines in widely advertised clouds for you don’t know who else has access to the hypervisors and storage on which virtual machines are located.
- Minimize the number of accounts on your systems having local administrator privileges.
- Never enter servers and PCs available to other users with the domain administrator account.