Picture the scene.
You’re logged into your PC and have your best friend over for dinner. You guys go way back to grade school and used to play in the same sandbox. Good friends. Buddies for life. Or so you thought…
After downing a few beers you race to the bathroom and your nefarious friend immediately jumps into the drivers seat of your computer.
Since you didn’t lock your box he has no problem owning your PC. In minutes he’s disabled your AV program, downloaded an exploitation tool from the internet, executed a powershell script and owned all the accounts that ever logged into your computer.
- Your local Administrator account
- Your Microsoft account
- Your wife’s account
- Your son’s account
- And all the other user accounts that ever used the machine
And since people typically use the same password for everything (According to Sophos, 55% to be exact), your duplicitous “friend” now has the keys to multiple kingdoms. For example, if he knows your Gmail address he can attempt to sign in using the password culled from your local and Microsoft accounts.
To top it all off, he’s doing this on your brand spanking new Windows 8.1 PC which has all the updates installed and is running Windows Defender.
So here’s my question: could this really happen?
Yup. And I’m about to walk you through the entire process – step by step. Prepare to be appalled.
For the longest time, I’ve told you how imperative it is to use a password that is both strong and memorable.
Your password must be strong so that it can’t be easily brute forced and memorable so you don’t compromise your password by writing it down.
But what’s the point of using a convoluted password when a determined hacker can bypass these security methods through unconventional means?
Today I’m going to show you how to hack any Windows PC in less than 5 minutes then I’ll share my recommendations for thwarting this threat in the future. Obviously do not try this on someone in real life – this is purely for educational purposes. I trust my readers aren’t so vile that they would use this to really compromise a friends PC.
Okay, are you ready?
Let’s go. Vonnie is about to leave you aghast.
The problem is that Windows stores encrypted user passwords in memory.
Instead of encrypting a one-way hash the password itself is encrypted and left in memory. This is what happens with the Local Security Authority Subsystem Service (LSASS.exe) process. It’s the critical process than manages password changes and authentication.
The fact that the password is encrypted doesn’t really mean anything when you realize it’s implementation depends on two basic Win32 functions:
- LsaProtectMemory (The encryption function)
- LsaUnprotectMemory (The decryption function)
There’s a hole in the implementation that makes it easy for someone to steal the encrypted passwords from memory and use the LsaUnprotectMemory function to decrypt and display the password in plaintext.
The disquieting part is the entire exploit took me less than 5 minutes to pull off.
This is how I did it.
Poaching Passwords
Go to http://blog.gentilkiwi.com/mimikatz and download the latest mimikatz binary. The blog is in French but it’s pretty obvious where the binary lives.
Plus, this might be a good opportunity for you to learn a new language. So don’t complain – French is the sexiest language on earth so learning this will probably get you a hot wife.
Download, extract and execute the file: mimikatz.exe
Now we need to use PowerShell to dump the contents of memory related to LSASS.exe – but we can’t do that because Windows has no default Cmdlet for pulling this off.
Oh what to do?
Import Matthew Graeber’s Out-Minidump.ps1 from Github. Peruse the code by clicking the link so you get a basic understanding about what it does.
The first thing you should do is analyze the PS1 file in detail. The file is littered with comments to make it easier to understand.
I just want you to see why this works rather then just telling you how it works.
Read and proceed.
After you get an idea about what happening, right click the link, choose Save link as from the context menu and make sure you save it with the PS1 File (.ps1) file extension. It won’t work if you save it as a .txt file.
Okay, now we need to import the script into Powershell so we can do our memory dump dance.
Open PowerShell as an Administrator by pressing the Windows Logo Key + q and typing:
powershell
Since PowerShell scripts can completely nuke your system, Windows sagaciously disables such scripts by default.
To change this, we need to temporarily set the Execution Policy to Unrestricted. By the way, after running the script you should change the execution policy back to Restricted.
Type:
Set-ExecutionPolicy Unrestricted
Then import the script by typing a dot followed by the path to your PS1.
. C:\Users\vhudson\Documents\Scripts\PowerShell\Out-Minidump.ps1
In geek speak this is known as “Dot Sourcing” the script and it’s one way to import functions into PowerShell.
You’ll see a fusillade of security warnings – which is good. But that’s why I told you to examine the script first. Never wantonly execute a scripts that you find online. Always investigate the code first so you can have some idea what it does.
Press “r” to run the script and then perform the memory dump:
Get-Process lsass | Out-Minidump
The dump is hanging out in %WINDIR%System32\ but we need to move it to a different location so we can view it. Use the Copy-Item Cmdlet to do that.
Copy-Item .\lsass_516.dmp C:\Users\Vonnie\Documents\Scripts\PowerShell\
Great now we’re ready to rock.
Flip back over to the mimikatz terminal and load in the LSASS dump we captured in PowerShell.
sekurlsa::minidump C:\Users\Vonnie\Documents\Scripts\PowerShell\lsass_516.dmp
It should switch to the MINIDUMP file so now we can view the passwords
Now punch in:
sekurlsa::logonPasswords full
Ladies and Gentlemen what you have before your eyes is my actual Microsoft account password. (the username is just two lines up).
In plaintext.
Vulnerable and exposed.
This means someone with this account now has unfettered access to:
- My Skype account
- Outlook.com emails
- Office 365 Subscription
- The Windows Store (they can make purchases)
- All my files, photos, and music sitting in OneDrive
- My XBox Live account
- All my Windows 8.1 desktop and computer settings
- My freggin’ life
If I had other accounts on the system you would see them as well by simply scrolling down.
Do you see how easy it is to p0wn someone? Don’t let this happen to you. Here’s how to protect yourself.
Protect yo’ self before you wreck yo’ self.
There are a few things you can do to prevent this kind of the thing.
The easiest is to simply lock your box when you leave your computer. Get into the habit of pressing the Windows Logo Key + l (that’s a lower case “L”) to lock your computer.
You can also configure your screensaver to display a password prompt on resume. Just right click the Desktop, choose Personalize and in the Screen Saver section put a check mark in On resume display logon screen.
You can also thwart the threat by deleting the wdigest line from the SecurityPackages key in
HKLM\System\CurrentControlSet\Control\Lsa
Finally, leaving your antivirus software running would have slowed down the attacker. Of course, if your box is unlocked there’s nothing stopping your assailant from disabling Windows Defender and working around your little registry hack. That’s why you should always lock your box.
Repeat after me:
- Windows Key + L!
- Windows Key + L!
- Windows Key + L!
The Bottom Line
Lock your box. Period.