Monday, August 1, 2011

Review: Windows Credentials Editor (WCE)

Windows Credentials Editor is a small tool by Hernan Ochoa (Amplia Security), allowing to view and modify the NTLM credentials stored in memory at runtime (NTLM sites, MS proxies, fileserver shares, etc).

You can view NTLM credentials stored in memory, in hashed form:
C:\WCE>wce -l

WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

my_user:my_domain:5E53612123437E22AAD12355B514EFEE:0235140F7474D2831690CE67D9AF535
my_pc$:my_domain:00000000000000000000000000000000:74B8A99562B6D50F5C7331248EB9511F
You can generate hashes for a password:
C:\WCE>wce -g my_passwd

WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Password: my_passwd
Hashes: B251802AA879D28F354CC2EE630F4FB7:582A7D8A2EA026919589828D03F91F8F
And you can switch credentials! To change the current user:
C:\WCE>wce -g new_user_password

WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Password: new_user_password
Hashes: B251802AA879D28F354CC2EE630F4FB7:582A7D8A2EA026919589828D03F91F8F

C:\WCE>wce -s new_user:new_user_domain:B251802AA879D28F354CC2EE630F4FB7:582A7D8A2EA026919589828D03F91F8F
WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Changing NTLM credentials of current logon session (0001B0FBh) to:
Username: new_user
domain: new_user_domain
LMHash: B251802AA879D28F354CC2EE630F4FB7
NTHash: 582A7D8A2EA026919589828D03F91F8F
NTLM credentials successfully changed!
All applications that rely on NTLM to authenticate the current user will now use the new credentials!
You can also explicitly specify which credentials to modify, which is useful if you have many NTLM credentials in use:
C:\WCE>wce -i old_user -s new_user:new_user_domain:B251802AA879D28F354CC2EE630F4FB7:582A7D8A2EA026919589828D03F91F8F
WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Changing NTLM credentials of current logon session (0001B0FBh) to:
Username: new_user
domain: new_user_domain
LMHash: B251802AA879D28F354CC2EE630F4FB7
NTHash: 582A7D8A2EA026919589828D03F91F8F
NTLM credentials successfully changed!
All this makes WCE a great tool to understand and debug NTLM applications. A great many thanks to Hernan Ochoa for the tool!

This is not a production tool for two major reasons:
  1. Most antivirus do consider switching NTLM credentials as an attack.
  2. WCE requires local administrative privileges.
Apart from that, it's been stable and functional as many times as I've used it.