Description
Dumping LSASS to get passwords, which in the worst case are only hashed… doesn’t have to be!
We demonstrate more sophisticated methods for attackers to obtain cleartext passwords.
In the Windows world, we examine Netfilter, Password Filter, and Security Support Providers, which enable custom DLLs to be loaded to capture passwords in cleartext.
Enabling WDigest or searching for passwords in GPO policies are other successful tactics.
Clear-text passwords can also be hidden within command lines or in password properties.
In the Linux world, we have additional techniques to read cleartext passwords.
We provide examples such as backdooring PAM, SSH, or hooking PHP functions.
After taking over VPN appliances, attackers also like to backdoor the login page to send passwords during login to a domain controlled by the attacker.
In our talk, we present not only individual techniques but also real-world examples from various incident response cases, illustrating how these techniques can be detected in logs and through forensic artifacts.
On one hand, experienced red teamers will learn new techniques; on the other hand, blue teamers can benefit from the detection strategies.
