This script would allow red teams get windows passwords in cleartext which can be useful in pentest engagements. I would like to thank Grzegorz Tworek for adding my poweshell script to his github page :)
The entire project was written by Grzegorz Tworek and can be downloaded from https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
Now we have everything in place let’s see how we can get passwords in clear text and there is no reboot required :)
- Download the script from the link above.
2) Copy the NPPSPY.dll to C:\Windows\System32\ directory.
3) Then add the following registry keys
Or you can use the ConfigureRegistrySettings.ps1 script (by @LadhaAleem)
https://github.com/gtworek/PSBits/blob/master/PasswordStealing/NPPSpy/ConfigureRegistrySettings.ps1
After running the powershell script we are ready to get passwords . All passwords will be stored in the text file no matter how complex the password is. The text file can be saved to any location. For this the text file was saved in the C:\NPPSpy.txt This can be changed to any location
Screenshot of the passwords saved in cleartext. Even if the user changes their password it will be saved in the text file. Screenshot Below.
There is a script as well for the blue team as well to detect this.
The script reads information about network providers (possibly acting as password sniffers) from registry, and displays it . Each entry is checked for binary signature and DLL metadata and no admin privileges needed
https://github.com/gtworek/PSBits/blob/master/PasswordStealing/NPPSpy/Get-NetworkProviders.ps1
Hope this will help both the red and blue teams
The author has many projects in his github profile and has been useful in my pentest engagements feel free to checkout his amazing work.