Dumping user passwords in plaintext on Windows 8.1 and Server 2012
The computer unlock event can be captured with (Thanks @mattifestation) :
Here is the script in action on a Windows Server 2012:
Without the downgrade, Invoke-Mimikatz on a Server 2012 machine looks like this:
And with Invoke-MimikatzWdigestDowngrade (AFTER the user unlocks the machine):
Bingo! We successfully dumped user password in plain.
This is one of the various examples where PowerShell enahnces a penetration test by combining various simple techniques together. Knowing PowerShell is crucial for better security testing from both red team’s and blue team’s perspective.
Things to note/Meh! :
- This script makes changes to the target by adding a registry key property and the setting is removed after the script execution. Administrative privileges required
- User interaction is required as it is the user who unlocks the machine. We can use Invoke-CredentialsPhish as well –https://github.com/samratashok/nishang/blob/master/Gather/Invoke-CredentialsPhish.ps1
- We are forcing a machine lock on the user. Really noisy and suspicious.
- Credentials are available in plain with WDigest for the entire length of the current session.
- There are surely other ways of doing this:https://twitter.com/gentilkiwi/status/594159340338151424
- A better version of this code would be out soon. I will update this code accordingly. https://twitter.com/subTee/status/594374626194534400