26/03/2012

Windows Credentials Editor

What is WCE?

It is a Windows Credentials Editor. It manipulates Windows logon Sessions and it is considered to be an evolution of the Pass-the-Hash Toolkits by it author Hernan Ochoa. WCE Internals presented at RootedCon in Madrid on early 2011. This presentation explains the inner workings of WCE including how Windows store credentials in memory pre and post Windows Vista.

Post-Exploitation with WCE presented on July 2011. Simple and effective high-level presentation with test cases. 

What does WCE do?

  • WCE lists in-memory logon sessions (It dumps in-memory username, LM & NT hashes)
  • Change/delete NTLM credentials of logon sessions
  • Create new logon sessions and associate arbitrary NTLM credentials
Why WCE is better than pass the Hash 

FeatureWCEPass The Hash
Supports Windows Vista/7/2008TrueFalse
Single executableTrueFalse
Delete NTLM CredentialsTrueFalse
Works with session isolationTrueFalse
Programmatic discovery of new LSASRV addressesTrueFalse
Seamlessly chooses code injection or reading from memoryTrueFalse

    References:
    1. http://www.ampliasecurity.com/research/WCE_Internals_RootedCon2011_ampliasecurity.pdf
    2. http://www.ampliasecurity.com/research/wce12_uba_ampliasecurity_eng.pdf
    3. http://www.twitter.com/hernano
    4. http://www.twitter.com/ampliasecurity
    5. http://www.ampliasecurity.com/blog/