EXTRACTING WINDOWS PASSWORD HASHES WITH PWDUMP/FGDUMP AND WCE (WINDOWS CREDENTIAL EDITOR)
- Layout for this exercise:
1 - Windows SAM, LM, NTLM and SYSKEY
- The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, and Windows 7 that stores users' passwords and it can be used to authenticate local and remote users.
- SAM uses hashing cryptographic measures to prevent unauthenticated users accessing the system.
- The user passwords are stored in a hashed format in a registry hive either as a LM or NTLM hash.
- This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM.
- LAN MAnager (LM) hash is a compromised password hashing function that was the primary hash that Microsoft LAN Manager and Microsoft Windows versions prior to Windows NT used to store user passwords.
- Support for the legacy LM protocol continued in later versions of Windows for backward compatibility, but was recommended by Microsoft to be turned off by administrators. As of Windows Vista, the protocol is disabled by default.
- LM authentication uses a particularly weak method of hashing a user's password that makes such hash crackable in a matter of seconds using rainbow tables, or in few hours using brute force.
- Weakness of LM hashes lies in their implementation; since they change only when a user changes their password, they can be used to carry out a Pass The Hash Attack (PTH).
- The NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users.
- NTLM is the successor to the LM authentication protocol.
- NTLM remains vulnerable to the Pass The Hash (PTH) attack, which is a variant on the reflection attack. For example, Metasploit can be used in many cases to obtain credentials from one machine which can be used to gain control of another machine.
- The Squirtle toolkit can be used to leverage web site cross-site scripting attacks into attacks on nearby assets via NTLM.
- Amplia Security discovered several flaws in the Windows implementation of the NTLM authentication mechanism which broke the security of the protocol allowing attackers to gain read/write access to files and remote code execution.
- In an attempt to improve the security of the SAM database against offline software cracking, Microsoft introduced the Syskey function in Windows NT 4.0.
- Syskey is a utility that encrypts the hashed password information in a SAM database in a Windows system using a 128-bit RC4 encryption key that, by default, is stored in the Windows registry.
- Syskey can optionally be configured to require the user to enter the key at boot time as a startup password or load it on removable storage media (e.g., USB flash drive).
- It was meant to protect against offline password cracking attacks by preventing the possessor of an unauthorised copy of the SAM from extracting useful information from it.
- However, it is commonly being misused by scammers to lock victims out of their own computers in order to coerce them into paying a ransom.
2 - pwdump/fgdump
- pwdump/fgdump are password hash dumpers for Windows 2000 and later systems.
- pwdump/fgdump are capable of dumping LM/NTLM hashes as well as password hash histories.
- pwdump/fgdump perform in-memory attacks by injecting a DLL containing the hash dumping into the Local Security Authority Subsystem (LSASS) process memory.
- The LSASS process has the necessary privileges to extract password hashes as well as many useful API that can be used by the hash dumping tools.
- fgdump is a more powerful version of pwdump, because pwdump tends to hang when antivirus is present, so fgdump takes care of that by shutting down and later restarting a number of AV programs.
- fgdump was born out of frustration with current antivirus (AV) vendors who only partially handled execution of programs like pwdump, some of them would sometimes allow pwdump to run, sometimes not, and sometimes lock up the box.
- fgdump.exe is run from the Windows command line with administrator privileges:
- Running fgdump.exe:
- Reading the file 127.0.0.1.pwdump the NTLM hashes for all users are displayed:
3 - Windows Editor Credentials (WCE)
- Windows Credentials Editor (WCE) is a post-exploitation security tool that allows to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes, plaintext passwords and Kerberos tickets).
- WCE can be used, for example, to perform pass-the-hash on Windows, obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.), obtain Kerberos tickets and reuse them in other Windows or Unix systems and dump cleartext passwords entered by users at logon.
- WCE is a security tool widely used by security professionals to assess the security of Windows networks via Penetration Testing. It supports Windows XP, 2003, Vista, 7, 2008 and Windows 8.
- WCE works by using DLL injection or by directly reading the Local Security Authority Subsystem (LSASS) process memory. This second method is more secure in terms of operating system stability, because code is not injected into a highly privileged process.
- For further information and downloading WCE:
- VCE is run from the Windows command line with administrator privileges:
- The output of running wce.exe displays both the LM and NTLM hashes of the passwords from all users currently logged on: