1

I have the following environment:-

DC:- Windows server 2008
Victim: Windows 7
Attacker: windows 10

Now I compromised the windows 7 some way, then I load mimikatz in meterpreter. Then, when I type Kerberos, it returns Kerberos credentials in plain text.

I was surprised that How it returns credentials in plain text?.And also I am looking for a way to encrypt them.

janu agrawal
  • 43
  • 4

1 Answers1

0

This is the expected outcome. There are several sources to this:

http://woshub.com/how-to-get-plain-text-passwords-of-windows-users/

For instance, HTTP Digest Authentication used to support SSO (Single Sign On) needs the user password along with its hash. Encrypted user passwords (passwords, instead of hashes) are stored in the OS memory, and, to be more specific, in LSASS.EXE process memory. The problem is that password encryption is implemented using the standard Win32 functions LsaProtectMemory and LsaUnprotectMemory, which are used to encrypt/decrypt a certain area of memory. A tool of French developers mimikatz allows you to obtain the encrypted data from the memory, decrypt them using LsaUnprotectMemory function and display all accounts of users authorized in the system and their passwords (decrypted, in plain text!).

https://adsecurity.org/?p=556

Since Windows encrypts most credentials in memory (LSASS), they should be protected, but it is a type of reversible encryption (though creds are in clear-text). Encrypt works with LsaProtectMemory and decrypt with LsaUnprotectMemory.

NT5 encryption types: RC4 & DESx

NT6 encryption types: 3DES & AES

Mimikatz capabilities:

Dump credentials from LSASS (Windows Local Security Account database) [sekurlsa module] MSV1.0: hashes & keys (dpapi)

Kerberos password, ekeys, tickets, & PIN

And some background info:

https://security.stackexchange.com/questions/38695/preventing-lsass-from-storing-clear-text-passwords-in-kerberos-environment

It is a well known security risk that LSASS stores clear-text passwords if a user has performed a keyboard-interactive logon on a machine - be it local login to his/her workstation or using RDP to a remote workstation.

You can force disable this by using group policies or the registry (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential = 0), but it could break some compatibility.

If your servers (2008) and clients (Win 7) are fully patched, there is also the way to use the protected users AD-group, which disables this "feature" for the included users.

Community
  • 1
Lenniey
  • 5,090
  • 2
  • 17
  • 28