Every now and then you find your self in a situation where you need to help some friend who forgot their Password to their Windows Client.
Usually i do a really dirty but effective workaround for that. And that is to Boot on some Linux dist like Kali my favorite when it comes to pentesting and similar stuff. Next you mount the harddrive and replace Utilman.exe with CMD.exe. After that simply reboot and you can click the little icon where you usually find the screen keyboard and all that stuff, but now instead it starts CMD.exe as System. From there you can start the explorer.exe and create a new account or reset the password for your exsisting one.
I know there are lots of ways to reset the password of an exsisting account but this is what i usually end up doing. But what if you don’t what to reset it and really need to find it you, this allos applies for passwords that you might have for various sites and you have you computer remember them and automaticly logon, but you don’t really remember the password.
So how do we get the password in cleartext?
Previously for older versions of windows you could dump the LM hash and then use pre calculated rainbow tables to find the password.
How about now? We’ll you don’t even need to dump the hash.
I’ll have to warn sensitive readers about this because you might wish you didn’t know this so that you can live on happily in ignorance.
Now down to the point. You can use a tool like Mimicatz. It will list your passwords and display them i clear text. On top of that it can do pass the hash and even create it’s own Kerberos ticket and modify it.
The scary thing is it takes about 2 minutes to list the password in clear text on your computer, now tell me if i can “check my mail on your computer” for 2 min?
How it’s done
Here’s what you need to do. Download the binarys from blog.gentilkiwi.com/mimikatz
Run it in an elevated CMD
Image may be NSFW.
Clik here to view.
First you need to run privilege::debug
Then you run sekurlsa::logonpasswords
Image may be NSFW.
Clik here to view.
This will list the passwords for the users that have logged in to you machine (Windows Credentials)
It will also list the Web credentials for any website you might have logged in to and saved the password.
This could be pages like your webmail, netflix, forums and similar. You get the idea.
Mitigation
This might be a wake up call for you and you might want to do a bit of cleaning on your machine.
If you want to remove the stored credentials you can do so from the windows credential manager.
Control Panel\User Accounts\Credential Manager
Image may be NSFW.
Clik here to view.
Conclution
This post is just to get you to open your eyes and be aware of what is stored in you computer.
To protect your self against your passwords leaking out, there are a couple of things you can do.
First of all use Full disk encryption on your machine, and when you do be sure to look at my other post about TPM and Bitlocker to make sure to do it properly.
Don’t rely solely on TPM and bitlocker, don’t think your computer is shutdown when you press shutdown in Windows 8.1.
Next you should remove as much of your stored credentials as possible, if you have a problem remembering them use a password manager that can store them encrypted.
Don’t lend your computer to anyone else, also be sure to shut it down when you need to leave it, it might be a good idea to have a GPO in place that will lock it after a short time of inactivity.
Also you can use Applocker to deny specific tools like mimikatz to be run.
None of this makes it perfect but it’ll make it a bit harder for anyone to exploit you.
Image may be NSFW.
Clik here to view.
Image may be NSFW.Clik here to view.
