Mobile, News, Token, Tokenless, Vulnerability

Password hints easily extracted from Windows 7, 8


Output of a Metasploit Meterpreter session that extracts Windows 7 and Windows 8 password hints.


Our recent feature on the growing vulnerability of passwords chronicled the myriad ways crackers extract clues used to guess other people’s login credentials. Add to that list a password reminder feature built in to recent versions of Microsoft’s Windows operating system.

It turns out the password clues for Windows 7 and 8 are stored in the OS registry in a scrambled format that can be easily converted into human-readable form. That information would undoubtedly be useful to hackers who intercept a cryptographic hash of a targeted computer, but are unable to crack it. Jonathan Claudius, the SpiderLabs vulnerability researcher who documented the new Windows behavior, has written a script that automates the attack and added it to Metasploit, an open-source toolkit popular among whitehat and blackhat hackers alike.

The clue is added to the OS registry when users configure a Windows account to provide a hint about the password needed to access it. When he first saw the long string of letters and numbers that stored the hint, he thought it had been encrypted. Upon further examination, he learned that an eight-line Ruby script quickly decoded the text chunks.

“Although this stuff looked a bit unreadable on the surface we can now see that it can clearly be decoded and could be used by tools that extract the information from the SAM,” he wrote, referring to the “security accounts manager” section of the registry. “This seems like it would be very helpful for penetration testers by giving them more insight into what the user’s password might be, so I decided to take it one step further.”

The hints are available to anyone who has physical access to a targeted PC, as Microsoft makes clear during the configuration or modification of a Windows account. But until now, those hints provided no help to hackers who use a drive-by website exploit or other similar attack to extract only the underlying password hashes. And that’s where techniques like these come in. By revealing the password hint the user selected when creating the account, it could provide valuable clues such as “My favorite color” or “My first car” that make all the difference.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s