Play with the hash and plaintext password of Win 10
Windows 10 has been released for a period of time. The increasing installation volume and the frequent adoption of messages by more and more enterprises are a great situation. It is estimated that the number of windows 10 servers will reach September at the end of 0.1 billion. I believe that many people have experienced the Win 10 System in the virtual environment over the past few weeks.
My main purpose is to study the impact of system upgrades on my standard tools. In this article, I will share some findings about hash and plaintext password extraction in Win 10.
Win 10: I WANT YOU
We all know the value of windows password hash, and the endless fun we get through hash transfer attack tests. If you are not aware of this, please allow me to strongly recommend that you try it. Now, I prefer to get the actual password under whatever conditions, even hash is enough.
I used some commonly used tools in Win 10 to see how they work:
·mimkatz 2.0·wce 1.42 beta·fgdump 2.10
All tests are performed in Win 10 Pro x64.
Mimikatz 2.0 alpha x64 output
Wce 1.42 beta x64 output
Fgdump 2.1.0 output
Result
· We can capture the hash in mimkatz 2.0, but we don't seem to have the plaintext password. · wce 1.42 beta does not seem to have captured the hash, whether it's a hash or a plaintext password. · fgdump 2.10 captured the hash.
In general, this result is not too bad. After hash is available, we can also crack it and then use it for hash transfer attack testing ...... However, the plaintext password is not directly captured? Don't do that!
Meet RWMC
I decided to hang out on the internet and consulted some friends to see if there were any interesting tools to get the plaintext password in Win 10. So I found a group of tools created by Pierre-Alexander Braeken called "PowerMemory. The most exciting one is a Powershell script called "Reveal Windows Memory Credentials" (RWMC.
I found RWMC from github and ran it on my test virtual machine.
Note: you must first run "Set-ExecutionPolicy Unrestricted-force" of Powershell to execute the script.
The following shows how to use RWMC to capture the plaintext password from a local Windows 10 Pro x64 machine, although it is not different from other Windows operating systems.
Run RWMC
Interestingly, it is recommended that you create a registry password and restart the tool. I read the script and found the following:
Here we can see a registry used to store creden。 in plaintext for the WDigest provider, which is set to 1. I have not broken any settings in this Win 10 Pro, so in Windows 10, UseLogonCredential must be set to 0 by default. After following up on this issue, it seems that at least Win 8.1 is returned.
Let's try RWMC again after modifying the registry and restarting it.
The situation has improved. We have obtained results.:
Great! The task can be fully run, or even accomplished very well! RWMC also has many other functions, such as remote password capture and dump password retrieval. For more information, see here.
If the registry settings cannot be enabled, I have to restart. This is inconvenient, but I have not been able to find an effective solution in my limited tests.
But now the registry settings can be enabled. Let's enable mimikatz again to see what will happen:
Now we finally get what we want. Currently, Mimikatz does not have any problem in capturing hash. Interestingly, WCE still fails in my test.
The result is finally (more or less) normal:
· MimikatzUseLogonCredentials list settings available · RWMCUseLogonCredentials list settings available · WCE does not seem to be useful in my quick detection. · fgdump as expected, the Registry does not need to be adjusted, but does not interact with WDigest
Interestingly, Windows Defender (the protection software provided by Microsoft) does complain about the execution of these tools, but does not prevent them from running.
Editor's note:
I learned from the researchers that the author's improper operations in this article led to the "WCE" shown in the picture, after which the service installation failed ". WCE prompts an error because the permission is insufficient. The author should use the system permission to execute WCE. Therefore, the results may be different.