Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/securesean/DecryptAutoLogon

Command line tool to extract/decrypt the password that was stored in the LSA by SysInternals AutoLogon
https://github.com/securesean/DecryptAutoLogon

Last synced: 22 days ago
JSON representation

Command line tool to extract/decrypt the password that was stored in the LSA by SysInternals AutoLogon

Host: GitHub
URL: https://github.com/securesean/DecryptAutoLogon
Owner: securesean
Created: 2020-12-03T20:38:59.000Z (about 4 years ago)
Default Branch: main
Last Pushed: 2020-12-05T16:14:28.000Z (about 4 years ago)
Last Synced: 2024-08-05T17:25:26.724Z (4 months ago)
Language: C#
Size: 197 KB
Stars: 211
Watchers: 10
Forks: 32
Open Issues: 1
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - securesean/DecryptAutoLogon - Command line tool to extract/decrypt the password that was stored in the LSA by SysInternals AutoLogon (C# #)

README

This tool can extract/decrypt the password that was stored in the LSA by SysInternals [AutoLogon](https://docs.microsoft.com/en-us/sysinternals/downloads/autologon). I made this to be used with [Cobalt Strike's execute-assembly](https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/):
![execute assembly screen shot](https://github.com/securesean/DecryptAutoLogon/blob/main/DecryptAutoLogon/exe-assm.jpg)
Compiled with .NET 3.0 (Windows Vista's default)+. Needs to be run as SYSTEM. Not just as a high intgrity process because the special registry keys need are only visible to SYSTEM and can only be decyrpted by SYSTEM.

# Why?
In order to support Kiosk mode Windows needs to keep the user's password in a reversable format. This was being kept at HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon under "DefaultUserName" and "DefaultPassword" . Autologon was updated to store the passwords in the LSA Secrets registry keys that are only visible to SYSTEM. [keithga ](https://keithga.wordpress.com/2013/12/19/sysinternals-autologon-and-securely-encrypting-passwords/) provided a binary that popped a Message but no source code or command line version.

# How it works
Through pInvoke calls:
* LSAOpenPolicy()
* LsaRetrievePrivateData()

# Credits
* Reverse Engineered this: https://keithga.wordpress.com/2013/12/19/sysinternals-autologon-and-securely-encrypting-passwords/
* Copy and Pasted EVERYTHING from here: https://www.pinvoke.net/default.aspx/advapi32/LsaOpenPolicy.html
* Icon from: https://icon-icons.com/icon/lock-secure-password/99595
* SysInternals: https://docs.microsoft.com/en-us/sysinternals/downloads/autologon

So thanks to who actually did the work: keithga, frohwalt

# Download
Compiled Version [HERE](https://github.com/securesean/DecryptAutoLogon/blob/main/DecryptAutoLogon/bin/Release/DecryptAutoLogon.exe)