If you have administrative access to a workstation on which the target user will log on, you can use the aforementioned Windows Credentials Editor to steal the plaintext password, at least on Windows 7. (Windows 8 seems to have disabled the Digest Authentication module that leaks the password.) You'll probably need to disable or add an exception to the antivirus software, or alternatively use a PE packer - WCE is regarded in some places as a hacking tool. (Makes sense.)
Using your form of admin power, be it local or domain (use the ADMIN$ or C$ share), drop the WCE executable and a batch file containing the following somewhere on the target computer:
wce -w > pwd.txt
Open MMC and add the Task Scheduler snap-in pointed at the target computer. Add a scheduled task with the following settings:
- General tab
- Click "Change User or Group" and select SYSTEM
- Check "Run with highest privileges"
- Check "Hidden" if you want to be extra sneaky
- Triggers tab
- Add a new trigger
- Pull down "Begin the task" and choose "At log on"
- Choose "Specific user", then "Change User" specifying the target account
- Actions tab
- Add a new action
- Ensure "Start a program" is selected
- "Browse" to select the batch file
- Conditions tab
- Uncheck "Start the task only if the computer is on AC power"
- Settings tab
- Uncheck "Allow task to be run on demand"
- Uncheck "If the running task does not end when requested, force it to stop"
EDIT (11/25): Alternatively, you can use PsExec to grab it from an existing session immediately and silently. See the new post.
No comments:
Post a Comment