Exploit network clear text Windows 4624 logon type 8 – Digitalmunition




Home Forums Exploit network clear text Windows 4624 logon type 8

This topic contains 1 reply, has 2 voices, and was last updated by  Wel_ok 1 month, 3 weeks ago.

  • Author
    Posts
  • #366440

    anonymous
    Participant

    Hi, I’m working with an application that triggers the 4624 logon type 8 Windows event. This means the password is being passed to the authentication package in cleartext, ie. unhashed. What are suggestions for exploiting this and gaining access to the password?

    In this specific scenario, it’s an app on a server with a service account. The service account is automatically used to run the app daily, triggering the event.
    How does the app know the password of the service account to authenticate? During the initial set up we provided the app the creds, so are they stored in the app somewhere? And is it likely they’re stored in plaintext?

    As a tangential question, for Windows services with the run as account value, how do they have the password for that account to run the service? Are they hard coded into the app?

    Thanks for all the info!

  • #366441

    Wel_ok

    credentials for service accounts are stored in the local registry, as what’s called “LSA Secrets” in the registry key HKEY_LOCAL_MACHINE/Security/Policy/Secrets. Because the service needs to read the actual password to login as the service account, that password is in the registry in clear-text.

    https://isc.sans.edu/forums/diary/Pillaging+Passwords+from+Service+Accounts/24886/

    For apps it can be different

You must be logged in to reply to this topic.