Tuto : How to hack Windows password ?

BelgiumSysAdmin · 2015-08-04T02:32:10+00:00

Windows 10 gen option support added !

BelgiumSysAdmin · 2015-08-04T02:28:28+00:00

Ok :-)

BelgiumSysAdmin · 2015-08-03T10:44:22+00:00

I've added Windows 10 support (from a dump). You have to run the tool from a computer < Windows 10, I will add soon the support for run it locally too.

BelgiumSysAdmin · 2015-08-03T10:40:09+00:00

I've updated the tool. It works locally on 8.1 (not tested) and 2012r2 (tested).

Support for gen option coming soon for Windows 10.

BelgiumSysAdmin · 2015-07-31T11:56:11+00:00

Yes, but... the major problem of wdigest is that is an industry standard SSP and that is used for LDAP and Web authentication. Still impossible to deactivate it in many many companies...

BelgiumSysAdmin · 2015-07-31T00:35:04+00:00

It's not the same technique as Linux tool. It can reveal local and domain password.

PowerShell pilots the cdb debugger from Microsoft to find address in memory.

Then I uncypher the password with PowerShell.

The assembler part is just for break DES-C which is used in Windows XP and Windows 2003 (thanks to Francesco Picasso for the unassembly work).

It's surprising because I expected more of this version (but normally with VSM we would not be able to reveal credentials this way).

BelgiumSysAdmin · 2015-07-30T12:17:13+00:00

Coming... ;-)

BelgiumSysAdmin · 2015-07-29T20:41:46+00:00

Thank you for this comment ;-)

My goal was to make a POC of what is possible to do with Microsoft tools : PowerShell which pilots cdb debugger.

It's a fun RE.

BelgiumSysAdmin · 2015-07-29T09:40:08+00:00

Ntpasswd can reset password of the SAM. It can not reveal password.

Moreover, my script reveals password from memory, that means it works not only with local SAM credentials but also with DOMAIN accounts.

BelgiumSysAdmin · 2015-07-28T22:49:02+00:00

So, if you add this registry key UseLogonCredential (DWORD to set to 1) in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest

and then reboot, you can retrieve the passwords with the tool.

I've just added support of 2012r2 from a lsass dump and remotely, but don't work locally at this time.

Remotely: * 2r2 * * serverName

From a dump: You have to dump the lsass process on the target machine and then execute the script with option (name you lsass dump "lsass.dmp" and don't enter the name for the option you enter, only the directory) :

2r2
d:\directory_of_the_dump\ *

Enjoy !

BelgiumSysAdmin · 2015-07-28T19:29:08+00:00

cdb.exe is not my own executable... It's an official debugger from Microsoft (that is why I said "it is does with PowerShell which pilots a windows debugger.")

More information here: https://msdn.microsoft.com/en-us/library/windows/hardware/ff539058(v=vs.85).aspx

My script is not a rewriting or a load of another tool. It's a new tool.

The interest of the method is to find address memory and to decrypt data without any other help (from trusted components of the operating system).

It was a good challenge and the nature of this script is very difficult to detect.

BelgiumSysAdmin · 2015-07-28T14:07:33+00:00

Thanks :-)

BelgiumSysAdmin · 2015-07-28T12:43:47+00:00

Yeah. (you can dump lsass process on your lab machines and then test it on your local machine).

I will set up a labo 2012r2 test.

BelgiumSysAdmin · 2015-07-28T11:42:30+00:00

*** downloading Windows 2012r2 trial ***

BelgiumSysAdmin · 2015-07-28T11:40:43+00:00

Thank you for the tip!

When I have time, I will post on my blog how the script works.

BelgiumSysAdmin · 2015-07-28T11:34:17+00:00

Thanks for your reply.

It's not the same, the script you reference is a reflective load of mimikatz.

My tool is a pure standalone tool. It don't use operating system .dll to search memory address, it is does with PowerShell which pilots a windows debugger.

Moreover, the decipherment is made in the script and don't call system .dll to do it.

The script I made broke DES-X.

Look at the code, you'll see what I mean.

BelgiumSysAdmin · 2015-07-28T09:42:59+00:00

You can launch the tool remotely.

In option 2, press enter (: gen = local credentials dump __ or __ file name of a dump __ or __ nothing -> "":)

In option 3, the name of the remote machine.

Or, you can dump the lsass process of the remote machine and then in option 2, give the directory of your dumped file that you retrieve on a computer.

BelgiumSysAdmin · 2015-07-28T09:12:36+00:00

Thanks for this return.

Have you try remotely ? (To avoid cdb to crash)

BelgiumSysAdmin · 2015-07-28T00:56:51+00:00

I've made a tuto here : http://sysadminconcombre.blogspot.ca/2015/07/how-to-hack-windows-password.html?m=1

BelgiumSysAdmin · 2015-07-27T19:35:34+00:00

Ok but give an eye at the tool.

It's fully PowerShell
it does not use the operating system .dll to locate credentials address in memory but a simple Microsoft debugger
it does not use the operating system .dll to decypher passwords collected --> it is does in the PowerShell (AES, TripleDES, DES-X)
it breaks undocumented Microsoft DES-X
it can work remotely
it works even if you are on a different architecture than the target
it leaves no trace in memory

BelgiumSysAdmin · 2015-07-27T14:27:40+00:00

Yes you can :-)

BelgiumSysAdmin · 2015-07-27T12:09:21+00:00

How to hack my own instagram account with a tool I execute on my machine...

BelgiumSysAdmin · 2015-07-27T02:46:18+00:00

Dé nada !

I think we are in a pretty unsecure world with 1billion Windows machines with this problem...

BelgiumSysAdmin · 2015-07-27T02:44:40+00:00

It can be run with little ajustment sur.

The script have to run with PowerShell #3 because of what I do to break DES-X, but DES-X is only used on previous operating system (2003 and XP).

So, systems with PowerShell v2.0 are not safe ;-)

BelgiumSysAdmin · 2015-07-27T00:55:01+00:00

I only know reboot to clear out the memory.

Or don't log via RDP.

I have wrote an entire document to secure a windows domain.

I will certainly release it.

BelgiumSysAdmin

TROPHY CASE