• Stars
    star
    210
  • Rank 186,772 (Top 4 %)
  • Language
    C#
  • Created almost 4 years ago
  • Updated almost 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Command line tool to extract/decrypt the password that was stored in the LSA by SysInternals AutoLogon

This tool can extract/decrypt the password that was stored in the LSA by SysInternals AutoLogon. I made this to be used with Cobalt Strike's execute-assembly: execute assembly screen shot Compiled with .NET 3.0 (Windows Vista's default)+. Needs to be run as SYSTEM. Not just as a high intgrity process because the special registry keys need are only visible to SYSTEM and can only be decyrpted by SYSTEM.

Why?

In order to support Kiosk mode Windows needs to keep the user's password in a reversable format. This was being kept at HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon under "DefaultUserName" and "DefaultPassword" . Autologon was updated to store the passwords in the LSA Secrets registry keys that are only visible to SYSTEM. keithga provided a binary that popped a Message but no source code or command line version.

How it works

Through pInvoke calls:

  • LSAOpenPolicy()
  • LsaRetrievePrivateData()

Credits

So thanks to who actually did the work: keithga, frohwalt

Download

Compiled Version HERE

More Repositories

1

Shim-Process-Scanner

Windows x64 Process Scanner to detect application compatability shims
C++
37
star
2

EducationalRAT

Starting Code for my How to Write Malware 101 Class. This is a Proof of Concept of a C# RAT (Remote Access Trojan) made by Sean Pierce (@secure_sean) to demonstrate to defenders the ease, speed, development goals, and characteristics of common malware. This is for educational use only.
C#
22
star
3

sdbScanner

Volatility Plugin to scan for shimmed processes in Windows
Python
10
star
4

Shim-Process-Scanner-Lite

A simple Batch script that prints the processes which contain shimming Dll's
Batchfile
8
star
5

Shim-Guard-Lite

This program will print out currently installed shims, their locations, install times and will register for events relating to the install of a new Shim Databases (SDB files)
PowerShell
6
star
6

ServiceSurvey

Quick script to enumerate services with particular focus on services listening on network interfaces from user land
C#
5
star
7

Shim-Guard

This program will print out currently installed shims, their locations, install times and will register for events relating to the install of a new Shim Databases (SDB files)
C
4
star
8

SecuritySiteSpider

This is a PoC that spiders websites and lists security related information based on their response headers & meta tags and describes the site's security only based on that.
C#
4
star
9

SdbIngestModule

An Autopsy Ingest Module for detecting Shim Database (SDB) files. Autopsy is built on SleutKit
Java
1
star
10

PSP

Personal Security Project - Basic situational awareness for a user on a Windows computer
C#
1
star