Windows8 : Logon passwords stores in plain text.

[proxx]

https://thehackernews.com/2012/10/windows-8-security-flaw-logon-passwords.html

Oops.

In one of our previous articles, you could read about ways to recover text passwords in Windows without brute-forcing them, locations in the system where text passwords could reside and tools used for the recovery. It turns out the release of Windows 8 is not without another fly in the ointment either. Our experts have discovered a serious flaw in the two new ways of logging on to the system. We are talking about Picture password and PIN. The matter is that these two authentication methods are based on a regular user account. In other words, the user must first have created an account with a regular password and then optionally switch to PIN or picture password authentication. Notably that the original plain-text (!) password to the account also remains in the system. Once the user has switched to a new authentication method, his text password is encrypted using the AES algorithm and saved to protected Vault storage in the following folder: %SYSTEM_DIR%/config/systemprofile/AppData/Local/Microsoft/Vault/4BF4C442-9B8A-41A0-B380-DD4A704DDB28. This system folder contains Vault records with SIDs and text passwords of all users with active PIN or picture password authentication. The text password is not bound to the PIN or picture password; therefore, any user of the PC with the Administrator privileges can easily recover it (the encryption key is protected with system DPAPI). Decrypting plain-text passwords in Windows 8 Pic. 1. Decrypting passwords for all users with active PIN or picture password authentication. Briefly, Vault can be described as a protected storage for user's private data. Windows Vault emerged with the release of Windows 7 and could store various network passwords. In Windows 8, Vault has extended its functionality; it has become a more universal storage but at the same time lost its compatibility with the previous versions. Thus,  the 'old' Vault implements a custom password protection. While in Windows 8, it seems, this feature is frozen and it uses DPAPI-based protection only. Windows Vault is used by other applications as well. For example, Internet Explorer 10 uses it to store passwords to websites. Some of our password recovery utilities already implement Windows 8 plain-text password decryption. The upcoming release of Windows Password Recovery is expected to have a full-fledged Vault analyzer and offline decoder.

[Axon]

Windows is and has been a failed OS since it's inception,I'm already suffering from windows 7 errors.

[edu19]

Anyone with phisical access can own the computer by running something under the NT AUTHORITY\SYSTEM account. One can use an USB stick, or CD ROM with software to rea and write to/from NTFS partitions; Once this person eg. replaces a file that will run with NT AUTHORITY\SYSTEM privileges on every boot it will be able to access the passwords, create admin accounts, and even keylog, "screenshot log" the logon password.


The great problem is when a remote vuln is discovered and the machine gets exploited and is running the standard user account (which by default has admin privileges and can bypass UAC). Attacks that requires users to have phisical access to a machine are considered low risk, although the consequences can be pretty bad.



That´s it... simple hehe.

[proxx]

Anyone with phisical access can own the computer by running something under the NT AUTHORITY\SYSTEM account. One can use an USB stick, or CD ROM with software to rea and write to/from NTFS partitions; Once this person eg. replaces a file that will run with NT AUTHORITY\SYSTEM privileges on every boot it will be able to access the passwords, create admin accounts, and even keylog, "screenshot log" the logon password.


The great problem is when a remote vuln is discovered and the machine gets exploited and is running the standard user account (which by default has admin privileges and can bypass UAC). Attacks that requires users to have phisical access to a machine are considered low risk, although the consequences can be pretty bad.



That´s it... simple hehe.

Thats not entirely true.
Passwords are often used across systems, I know many do so.
Having the password or their personal password policy in plain text can pose great risks.
Why think databases store them encrypted/encoded , noone should be able the access them , yet they do..
Apart from the fact that there might be multiple accounts.

[edu19]

yeah I know, I was talking about Windows, locally, only. if it exchanges password data with, for instance, websites in unencrypted form then that is really a serious issue, since it could be prone to MITM attacks.


And criptography doesnt save us 100% unfortunately since it is about implementation...if an implementation flaw is found, the encrypted data might be recovered. 

[dracula23064]

when the lsass.exe is running there are files running that contain plain text passwords. this plain text password can be easily extracted via dll injection. If you need any more info you can pm me. I'll get back to you as soon as possible.

Wireshark Cookie Dump:

OKCancel

[ki0be]

Do not get me started on the Windows OS.  I'm running on Windows 7 at the minute and I can honestly say that it's the biggest piece of shit going.  I'll post a thread on how to tighten your window security and link it here soon.