As a result of the tests, another colleague, Ramón Pinuaga, wrote an article on the S21sec blog where he commented on the discovery of the tool, the technique it used, and some of the tests we did with it.
Now, a few weeks later, an update of one of my favorite tools: Windows Credential Editor (WCE) of 32 bits and 64 bits created by Hernán Ochoa, of which I have already spoken on other occasions, incorporates this technique and is able to obtain the credentials in clear text.
As I have been able to read both in the blog of the author of Mimikatz, the information I know about WCE and a little bit of IDA, the technique originally used by Mimikatz would be very similar (if not identical) to that traditionally used by WCE, except that the latter would have been added the functionality of consulting other Security Packages in addition to MSV1_0, specifically WDigest, from where you can get the credentials in clear text. The other possibility, which was to obtain the credentials through Tspkg has not been implemented, I imagine that because the latter requires the system to be a Windows Vista or higher, while in the case of WDigest the technique would work with any Windows XP or higher computer.
Let's not forget that for these credentials to have been stored in memory it is necessary that the user has logged in to the machine physically or through Terminal Server at some point after the last restart of the machine. Authentications over the network would store this password, since it would not even be transmitted to this computer.
Full content on Pentester
Leave your comment