Windows password decryption possible from dump files, mounting offline partitions

An attacker could extract your Windows password without even having write access to a computer, provided they have this new tool.

A new exploit could steal encrypted Windows password files
Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • A password recovery tool called LaZagneForensic can extract encrypted passwords from Windows with only a dump file or by mounting a drive.
  • Because it takes advantage of the way Windows' built-in password management is designed there's no way to stop an attack like it, except to avoid using default password management options and choosing a password manager instead.

A Windows password decryption tool called LaZagne has received a boost in its capabilities with a new component called LaZagneForensic (LZF), and what it's now capable of should alarm anyone who uses a Windows computer.

The original LaZagne, which can extract passwords stored on a Windows PC without needing the master Windows password, required an attacker to have access to a PC with a user signed in in order to execute commands.

What makes LaZagne particularly dangerous is that it can decrypt passwords secured by the Windows Data Protection API (DPAPI) without having the actual password to the Windows account signed in to the computer, thanks to the CryptUnprotectData function. Despite that, it still requires a user to have access, either locally or remote, to an unlocked Windows machine.

LZF, however, can extract much (but not all) of the same data using dump files from the target computer or by mounting the target hard disk to another computer.

LZF could be a security threat because, as its creator Alessandro Zanni said, if Windows (and by extension LaZagne) can get a password in plain text then so can an attacker.

SEE: Securing Windows policy (Tech Pro Research)

How LaZagneForensic exposes a security headache

Passwords stored on a Windows computer are encrypted using a key derived from the password of the account that created them. Once a user is logged in, the stored passwords are decrypted so the user has access to them.

That's where LaZagne does its business: A user is logged in, so it sneaks in and steals the decrypted passwords and turns them into plain text.

But when an attacker is only able to gain read access, or if there's no user signed in, the passwords are encrypted and nothing can be done to decrypt them since Windows credentials are needed to do so.

LZF doesn't need Windows credentials or write access, at least for some passwords, as indicated in the image below. (Zanni said this isn't a complete list.)

Image: GitHub/Alessandro Zanni

Any apps labeled No are vulnerable to LZF because they have their own methods of encrypting passwords, which can be broken by LZF.

To make LZF more threatening, it automatically checks to see if any of the passwords it discovers is also a Windows password, which would give it access to the entire list contained in the dump file or on the mounted drive it scans.

SEE: Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)

Protecting against LaZagneForensic and similar attacks

What LZF uses to steal passwords is a hole in Windows security that can give an attacker unprecedented access to a machine. Zanni said that there's really no way to protect against it either--if a password is stored on a Windows host device using default methods, he said, it's as good as exposed.

Zanni's recommendation is to never use the default method of storing passwords and instead to rely on a password manager. Web browsers, OS keychains, email clients, and other applications that store passwords, but aren't specifically built to do so, are at risk.

IT teams should make sure users aren't storing sensitive passwords in any of the sources mentioned in the image above, and if possible, businesses should mandate password managers for use by everyone who has an account with privileged access.

Also see