IMCAFS

Home

how do i get the clear text password of all domain users?

Posted by tzul at 2020-02-24
all

*The original author of this article: c0debreak, this article belongs to the freebuf original award program, reprint is prohibited without permission

brief introduction

In addition to group policy, Windows allows you to customize password policy. Abusing this mechanism can achieve some malicious behaviors. Today, I'd like to introduce science to you

When we press Ctrl + Alt + Del to change the user password, what happens on the windows server side?

First, the windows server (domain control) checks the registry and finds the password filter, which is LSA notification package. Then call DLLs one by one to check whether the password conforms to the policy,

If the policy is not met, the password is not robust enough,

By default, the server on the domain contains two DLLs, seccli is responsible for implementing the password security policy, which is also our common GPO

Our topic today is how to abuse this mechanism and implement a password policy plug-in to record the passwords of all domain users

In order to meet the audit requirements of Sox 404, the password of a listed company is forced to be modified every three months, which just triggers this mechanism

After checking the official documents, a password plug-in needs to export three functions,

Passwordfilter is responsible for checking whether the password is compliant; passwordchangenotify is executed on the workstation and is responsible for informing the workstation user of password change.

The final source code and 64 bit DLL can be downloaded here (compiled with build.cmd)

Install plug-ins

We log in to domain control and copy the compiled securefilter.dll to the% system32% directory,

Then open the registry and locate HKEY? Local? Machine \ system \ currentcontrolset \ control \ LSA \ notification package

Add securefilter

Effective after restarting DC server

Actual demonstration

We log in to a workstation, change the password,

Go back to domain control and find that the log has been written

Written in the end

After testing, no matter how you change the password, OWA or command line, the effect is the same; the effect is the same on servers without domain

If you want to obtain a user's password immediately, click "user must change password at next logon" on the domain controller, as shown in the figure:

Reference material

*The original author of this article: c0debreak, this article belongs to the freebuf original award program, reprint is prohibited without permission