Internal penetration testing requires security professionals to try and harvest credentials from the memory of compromised devices. If these captured credentials are hashed, the tester can utilise the pass-the-hash technique to laterally move within the network to achieve their objectives.
However, if the tester is able to harvest cleartext credentials from memory or has been able to crack the captured hashes, they can authenticate across other network resources and services such as Outlook, business-critical web applications, device portals, and more.
In this blog, we’ll take a deep dive into one such method used to extract cleartext credentials from memory - WDigest.
Windows XP was the first operating system to introduce the WDigest protocol. This protocol is enabled by default on Windows systems and helps clients authenticate to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications by sending cleartext credentials.
To make this authentication process more convenient for end-users, Microsoft decided to cache the cleartext credentials on Windows memory, when users logged in to their workstations
These cached credentials are later used by workstations to authenticate HTTP and SASL services, without bothering users to enter their credentials repeatedly.
The cleartext credential caching assists a penetration tester a great deal during their internal penetration testing engagement. The tester can use a well-known credential extraction tool, Mimikatz, to target the WDigest protocol.
Over the past few years, Mimikatz has been used intrusively in the wild to access credentials from memory. For that reason, many Anti-Virus (AV) solutions have developed the signatures to restrict this tool from running on systems. However, there are multiple ways to bypass these AV signatures either by running this tool in memory or by obfuscating the tool.
Once the tester has an initial privileged foothold on an internal system within an organisation, Mimikatz can be launched to extract credentials from memory. This can be done using the commands shown below:
These extracted credentials can be either in hashed format or cleartext or both.
If the tester is lucky enough to obtain these credentials in cleartext, cracking hashes is not necessary and will allow direct access to internal resources, bringing attackers closer to achieving their objectives.
Once these weaknesses in the WDigest protocol were disclosed, Microsoft not only released a patch for Windows 8, Windows Server 2012 and earlier version to disable this cleartext credential caching but also disabled it by default on Windows 8.1 and Windows Server 2012 R2 and later versions.
This can be verified by querying this registry key:
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential
If the caching is disabled, this is what you should be seeing:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
UseLogonCredential REG_QWORD 0x0
In this scenario, when the penetration tester runs Mimikatz, they will not get the cleartext passwords as shown below:
If an organisation has patched its internal systems to stop caching cleartext credentials in WDigest, the easiest option for a tester to bypass this is to set the aforementioned registry key to enable caching.
This can be done by entering the following command using the privileged shell on the target system:
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
Using this technique, a tester can easily harvest the cleartext credentials from system memory.
It is evident that patching and disabling the registry value is not going to stop an attacker from targeting an internal system within an organisation to extract cleartext credentials. However, the organisation can implement efficient monitoring to detect these registry changes over the network.
This can be done by monitoring the event ID 4776 in the domain controller and event ID 4624 in Windows systems.
