Jump to content











Photo

NpLogonNotify and clear text windows passwords


  • Please log in to reply
2 replies to this topic

#1 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 17 August 2020 - 08:44 PM

In previous articles (here and here), we have seen that hashed passwords are as good as clear text passwords.

 

Thus, sometimes, it is nice to retrieve passwords at once in clear text. Under windows, you can register a network provider which will be called every time a user logs on. And the beauty of it is that the credential manager will pass on the username and password in clear text. Of course, you need to be a local admin to do so : we are not talking escalating privileges here but pivoting/lateral movement.

 

You need to implement 2 functions in your dll, nicely documented by Microsoft (https://docs.microso...i-nplogonnotify).

 

Once done, you can do pretty much what you want from within that function.

I am providing an example here (source code and binary) which will log to a text file the username/password.

setup.cmd will register the dll for you : no reboot needed – at next logon, username/password will be written to c:\nplogon.txt.

 

Microsoft has done great efforts to secure passwords and lsass (noticeably Credential Guard).

Thus, nowadays, on a O.S used by multiple users, lateral movement is still hard to prevent.

 

Cheers,

Erwan



#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 18 August 2020 - 08:26 AM

Nice :)

 

No idea what it will be useful for, but nice. 

 

:duff:

Wonko



#3 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 18 August 2020 - 10:26 AM

Useful?

I am afraid it would mainly be used with bad intentions : password sniffing and lateral movement (a local admin over taking domain admins rights for instance).

 

Thus, in a blue team / red team context, it is good to know to where are the threats.

That registry key (HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order) should be watched out.

 

/Erwan






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users