Recovering Remote Windows Passwords in Plain Text with WCE

Tuesday, June 05, 2012

Dan Dieterle


I recently talked about recovering Windows passwords remotely in plain text using “Mimikatz”, but it is not the only program that will do it.

One of my favorite security teachers, Professor Sam Bowne at City College of San Francisco, has released a tutorial on using the Windows Credentials Editor (WCE) to do the same thing.

I was following the tutorial and ran into a snag. On my backtrack machine my Metasploit Path is different, though we are using the same version of Backtrack (5r2). So the directories that are mentioned did not exist on my machine.

Basically I followed the tutorial step by step, but on my machine I had to do 2 things differently:

  • I needed to copy the wce.rb Ruby script into the “/opt/metasploit/msf3/scripts/meterpreter” directory.
  • Also, the wce-x86.exe (or wce-x64 if using 64 bit) into the “/opt/metasploit/msf3/data/post” directory.

I am not sure of why the paths are different, maybe because I was using the “Live” bootable version of Backtrack 5r2.

The tutorial functioned flawlessly after that. After obtaining a remote session using Backtrack’s Social Engineering Toolkit, I ran bypassuac to get System level authority and at the meterpreter prompt simply ran wce.rb:

Two strange things that I noticed was that the username for “Secure_User” was cut off, but the long complex password for the user was indeed correctly recovered. But the user “Fred” had no password on this test machine, and WCE mirrored the password for the “Secure_User” account.

Odd, but it did recover the password in plain text.

Mimikatz seems to do a better job at recovering passwords, but WCE is just as easy to use. Both offer other features and functions. I think I like both!

Cross-posted from Cyber Arms

Possibly Related Articles:
Network Access Control
Information Security
Passwords Hacking Tools Penetration Testing Metasploit Meterpreter Pentesting Mimikatz Windows Credentials Editor
Post Rating I Like this!
Dan Dieterle Hernan from Amplia Security contacted me as soon as I originally posted this article. As fast as I could run some tests for him, he created a fix for this.

In a test version he sent me, WCE correctly recovered and displayed both users with passwords and those without.

Thanks Hernan, awesome job! :)
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.