How to obtain a full-domain user plaintext password

Brief introduction

In addition to Group Policy, Windows allows you to customize the password policy, and misuse of this mechanism can implement malicious behavior. Today for everyone under the popular science

What happens on the Windows server side when we press CTRL + ALT + DEL To modify the user's password.

First, the Windows server (domain control) checks the registry to find Password Filter, which is the LSA Notification Package. The DLL is then invoked, checking to see if the password matches the policy,

If you do not conform to the policy, you are prompted that the password is not robust

By default, a server on a domain contains two DLLs, where SECCLI is responsible for implementing password security policies, as well as our common GPO.

Our topic today is how to misuse this mechanism to implement a password policy plug-in to record the passwords of all domain Users

A listed company, in order to comply with SOX 404 audit requirements, the password every three months will be mandatory modification, just can trigger this mechanism

Check the official document, a password plug-in needs to export three functions,

Where Passwordfilter is responsible for checking whether the password is compliant, passwordchangenotify is executed on the workstation and is responsible for informing the workstation user of the password change.

The final source code and the 64-bit DLL can be downloaded here (using Build.cmd Compilation) to install the plugin

We login to the domain control, copy the compiled SecureFilter.dll to the%system32% directory,

Then open the registry and find Hkey_local_machine\system\currentcontrolset\control\lsa\notification Package

Add Securefilter words

Active demo after restarting DC server

We log on to a workstation, modify the password,

Back to domain control, the discovery log has been written in the last

After testing, regardless of how you modify your password, OWA is the same as the command line, and the effect is the same on a server that does not have a domain.

If you want to get a user's password immediately, click on the domain control to "user must change password at next logon", as shown in the figure:

Reference Https://www.slideshare.net/nFrontSecurity/how-do-password-filters-work https://technet.microsoft.com/en-us/ Library/cc963221.aspx https://msdn.microsoft.com/en-us/library/windows/desktop/ms721766 (v=vs.85). aspx.aspx)