Monday, August 1, 2011

Switching Internet Explorer's NTLM Credentials

I was looking for a way to have Internet Explorer, launched within user1's Windows session, authenticate against NTLM sites and proxies with the credentials of user2.
Using Windows Credentials Editor does work but, as said, it's no production tool.
I also found that using the runas command was problematic because you either create a Windows profile or not:
  • If you do create a profile, that means a profile and corresponding home folder will be created, which might not be desirable.
  • If you do not create a profile, that means user2 cannot save parameters in IE and cannot receive domain policies, bookmarks and so on.
Eventually I found a very short, built-in way to do it:
C:\>runas /netonly /user:my_domain\user2 "C:\Program Files\Internet Explorer\iexplore.exe"

Entrez le mot de passe de my_domain\user2 :
Tentative de lancement de C:\Program Files\Internet Explorer\iexplore.exe en tant qu'utilisateur "my_domain\user2" ...
That runas /netonly command lets you run IE with user1 privileges, profile and bookmarks AND authenticates at remote NTLM sites and proxies as user2.

This piece of code is especially convenient in situations where you want to do remote NTLM authentication as a given user but do not want to launch a full Windows session just for it.

Review: Windows Credentials Editor (WCE)

Windows Credentials Editor is a small tool by Hernan Ochoa (Amplia Security), allowing to view and modify the NTLM credentials stored in memory at runtime (NTLM sites, MS proxies, fileserver shares, etc).

You can view NTLM credentials stored in memory, in hashed form:
C:\WCE>wce -l

WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

my_user:my_domain:5E53612123437E22AAD12355B514EFEE:0235140F7474D2831690CE67D9AF535
my_pc$:my_domain:00000000000000000000000000000000:74B8A99562B6D50F5C7331248EB9511F
You can generate hashes for a password:
C:\WCE>wce -g my_passwd

WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Password: my_passwd
Hashes: B251802AA879D28F354CC2EE630F4FB7:582A7D8A2EA026919589828D03F91F8F
And you can switch credentials! To change the current user:
C:\WCE>wce -g new_user_password

WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Password: new_user_password
Hashes: B251802AA879D28F354CC2EE630F4FB7:582A7D8A2EA026919589828D03F91F8F

C:\WCE>wce -s new_user:new_user_domain:B251802AA879D28F354CC2EE630F4FB7:582A7D8A2EA026919589828D03F91F8F
WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Changing NTLM credentials of current logon session (0001B0FBh) to:
Username: new_user
domain: new_user_domain
LMHash: B251802AA879D28F354CC2EE630F4FB7
NTHash: 582A7D8A2EA026919589828D03F91F8F
NTLM credentials successfully changed!
All applications that rely on NTLM to authenticate the current user will now use the new credentials!
You can also explicitly specify which credentials to modify, which is useful if you have many NTLM credentials in use:
C:\WCE>wce -i old_user -s new_user:new_user_domain:B251802AA879D28F354CC2EE630F4FB7:582A7D8A2EA026919589828D03F91F8F
WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Changing NTLM credentials of current logon session (0001B0FBh) to:
Username: new_user
domain: new_user_domain
LMHash: B251802AA879D28F354CC2EE630F4FB7
NTHash: 582A7D8A2EA026919589828D03F91F8F
NTLM credentials successfully changed!
All this makes WCE a great tool to understand and debug NTLM applications. A great many thanks to Hernan Ochoa for the tool!

This is not a production tool for two major reasons:
  1. Most antivirus do consider switching NTLM credentials as an attack.
  2. WCE requires local administrative privileges.
Apart from that, it's been stable and functional as many times as I've used it.