Dumping WDigest Creds with Meterpreter Mimikatz/Kiwi in Windows 8.1

发布时间:June 11, 2015 // 分类:转帖文章,windows // No Comments

Many of us in the penetration testing world have come to love Benjamin Delpy’s (blog.gentilkiwi.com) mimikatz/kiwi modules which were ported to Metasploit by OJ Reeves and incorporated into the meterpreter shell. Among other capabilities, one of the most impactful features of these modules was the ability to extract a Windows user’s clear text password from the WDigest provider.

When Microsoft released Windows 8.1, they added some security features that effectively removed the ability of tools like mimikatz or WCE to dump clear text credentials from LSA memory.

Microsoft then backported those fixes in a security update (http://support.microsoft.com/kb/2871997) for Windows systems prior to 8.1. However, because WDigest is used by many products (e.g. IIS), Microsoft left the Wdigest provider enabled which is why our mimikatz/kiwi module can still obtain clear text passwords prior to Windows 8.1

Windows 8.1 introduced a registry setting that allows for disabling the storage of the user’s logon credential in clear text for the WDigest provider.

(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential)

Although the entry does not appear in the Windows 8.1 registry, the default setting for this DWORD value in 8.1 is “0” meaning that 8.1 does not store logon credentials in clear text in LSA memory for this SSP.

KB2871997 backported this registry setting to earlier Windows versions. When you install the hotfix, the registry setting will also not appear in earlier versions. These versions < 8.1 will default to “1” for the “UseLogonCredential” DWORD value.

So what happens on a Windows 8.1 system when we try to obtain the clear text password via a meterpreter shell using the mimikatz or kiwi modules?

The kiwi module is unable to obtain the clear text passwords from LSA memory.

But since we have administrative access, let’s change the registry setting by explicitly setting it to 1 in a Windows shell.

(reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1)

We refresh the regedit window to see the new value of “1” for UseLogonCredential.

Now, all we have to do is try to force, or wait for the user to either lock their screen or log off and then subsequently unlock their screen or log back in.

With the update to the registry, we should now be able to grab the clear text password from LSA memory.

Back in our meterpreter shell, we attempt the creds_wdigest again (might have to get a new meterpreter shell if the user logged off and back on).

References:

http://blog.gentilkiwi.com
http://blogs.technet.com/b/kfalde/archive/2014/11/01/kb2871997-and-wdigest-part-1.aspx

 

咱们来说人话。修改注册表 ,将 HKLM_LOCAL_MACHEINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest的"UseLogonCredential"(需要添加该 项目)设置为1,类型为DWORD 32  就可以了,然后等管理员在线或者还没注销的时候,就可以用mimi抓取明文了。

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

标签:mimikatz

添加新评论 »

分类
最新文章
最近回复
  • 没穿底裤: 最近发现的新版本可以装在LINUX了。但是API有点变化
  • 没穿底裤: 暂时好像没有看到这个功能.
  • 没穿底裤: 这个只是一个分析,并不是使用方法哟
  • 没穿底裤: 抱歉,很久没有打理了。会不会你使用的是12版本。目前还没有遇到过这种情况
  • bao song: http://0cx.cc/php_decode_shell.jspx 这个怎么用,代码提示...