Dumping user passwords in plaintext on Windows 8.1 and Server 2012

Dumping user passwords in plaintext on Windows 8.1 and Server 2012

The target computer can be locked with the code found here (Thanks @subTee)01.JPG :
The computer unlock event can be captured with (Thanks @mattifestation) :
Above could be assembled in a PowerShell script for easy use. Let me give you Invoke-MimikatzWdigestDowngrade.ps1. The name is too long for a single script but I like it 🙂 It uses Invoke-Mimikatz from PowerSploit (thanks to @JoesphBialek and @gentilkiwi for that). Invoke-MimikatzWdigestDowngrade is available here in the github repo of Nishang.

Here is the script in action on a Windows Server 2012:

Without the downgrade, Invoke-Mimikatz on a Server 2012 machine looks like this:

And with Invoke-MimikatzWdigestDowngrade (AFTER the user unlocks the machine):

Bingo! We successfully dumped user password in plain.

Notice that the event trigger started a job and we may need to use Get-Job | Recieve-Job cmdlets to see the output.
Below video shows the script in action:
For access to the remote machine, I used PowerShell shells like Powercat and couple of custom PowerShell shells which I will publish soon.
Unfortunately, in my tests, the script doesn’t work from PowerShell remoting and meterpreter. As far as I know, inability to run scripts in user context is the reason for failure in PowerShell remoting. But I am unaware of why it is not working with meterpreter.

This is one of the various examples where PowerShell enahnces a penetration test by combining various simple techniques together. Knowing PowerShell is crucial for better security testing from both red team’s and blue team’s perspective.

Things to note/Meh! :

If you liked the post and want to learn more and/or want to support my research and work, join me for a two days training “PowerShell for Penetration Testers” at:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s