Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/securesean/DecryptAutoLogon
Command line tool to extract/decrypt the password that was stored in the LSA by SysInternals AutoLogon
https://github.com/securesean/DecryptAutoLogon
Last synced: 22 days ago
JSON representation
Command line tool to extract/decrypt the password that was stored in the LSA by SysInternals AutoLogon
- Host: GitHub
- URL: https://github.com/securesean/DecryptAutoLogon
- Owner: securesean
- Created: 2020-12-03T20:38:59.000Z (about 4 years ago)
- Default Branch: main
- Last Pushed: 2020-12-05T16:14:28.000Z (about 4 years ago)
- Last Synced: 2024-08-05T17:25:26.724Z (4 months ago)
- Language: C#
- Size: 197 KB
- Stars: 211
- Watchers: 10
- Forks: 32
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - securesean/DecryptAutoLogon - Command line tool to extract/decrypt the password that was stored in the LSA by SysInternals AutoLogon (C# #)
README
This tool can extract/decrypt the password that was stored in the LSA by SysInternals [AutoLogon](https://docs.microsoft.com/en-us/sysinternals/downloads/autologon). I made this to be used with [Cobalt Strike's execute-assembly](https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/):
![execute assembly screen shot](https://github.com/securesean/DecryptAutoLogon/blob/main/DecryptAutoLogon/exe-assm.jpg)
Compiled with .NET 3.0 (Windows Vista's default)+. Needs to be run as SYSTEM. Not just as a high intgrity process because the special registry keys need are only visible to SYSTEM and can only be decyrpted by SYSTEM.# Why?
In order to support Kiosk mode Windows needs to keep the user's password in a reversable format. This was being kept at HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon under "DefaultUserName" and "DefaultPassword" . Autologon was updated to store the passwords in the LSA Secrets registry keys that are only visible to SYSTEM. [keithga ](https://keithga.wordpress.com/2013/12/19/sysinternals-autologon-and-securely-encrypting-passwords/) provided a binary that popped a Message but no source code or command line version.# How it works
Through pInvoke calls:
* LSAOpenPolicy()
* LsaRetrievePrivateData()# Credits
* Reverse Engineered this: https://keithga.wordpress.com/2013/12/19/sysinternals-autologon-and-securely-encrypting-passwords/
* Copy and Pasted EVERYTHING from here: https://www.pinvoke.net/default.aspx/advapi32/LsaOpenPolicy.html
* Icon from: https://icon-icons.com/icon/lock-secure-password/99595
* SysInternals: https://docs.microsoft.com/en-us/sysinternals/downloads/autologonSo thanks to who actually did the work: keithga, frohwalt
# Download
Compiled Version [HERE](https://github.com/securesean/DecryptAutoLogon/blob/main/DecryptAutoLogon/bin/Release/DecryptAutoLogon.exe)