Passwordfilters in Windows
Password Filter
- A DLL that provides password policy enforcement and change notification. The functions implemented by password filters are called by the Local Security Authority. – http://msdn.microsoft.com/en-us/library/windows/desktop/ms721882%28v=vs.85%29.aspx
- The purpose for this hook into the LSA is to create custom filters when users change password. Want some specific “default for your company” password filtered out? Want a custom RegEx next to Microsoft’s Complexity Requirements? Want to setup a real ugly sync passwords to another database? Or do you just want access to plaintext passwords? Than this is the way to go…But you can also do other stuff with it, because: “hey! a cleartext pasword!” :-p
Next piece of code doesn’t work, but also talks about the idea: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
And this blogpost tries to fix what the previous one couldn’t do: http://www.phocean.net/2013/10/02/password-stealing-using-a-password-filter.htmlAnyway, code is visualcpp,
Most code (pretty much everyting) came from devx, who did a great job with his article: http://www.devx.com/security/Article/21522 !
Next functions are called by the OS when a users changes a password:
BOOLEAN PasswordFilter( _In_ PUNICODE_STRING AccountName, _In_ PUNICODE_STRING FullName, _In_ PUNICODE_STRING Password, _In_ BOOLEAN SetOperation );
NTSTATUS PasswordChangeNotify( _In_ PUNICODE_STRING UserName, _In_ ULONG RelativeId, _In_ PUNICODE_STRING NewPassword );
BOOLEAN InitializeChangeNotify(void);
Visual studio 2013 project to download: https://www.mendelonline.be/downloader/?file=passwordfilterregex.zip
The only thing this code does, is write out the cleartext password to a textfile… Just a proof of concept of what you can do of course… Rest is for you guys to code 😉
..::Mendel's Weblog::.. 