WDigest: Clear-Text Passwords in Memory

What is it?

WDigest.dll was introduced in the Windows XP operating system. The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges, as documented in RFCs 2617 and 2831.

Many people think of Digest Authentication as a protocol that is used with Web browsers for authenticating users browsing the Internet. However, Digest Authentication is also a general purpose protocol that can be used for authentication, and by using SASL, it can provide integrity protection. For example, you can use Digest Authentication for:

  • Authenticated client access to a Web site
  • Authenticated client access using SASL
  • Authenticated client access with integrity protection to a directory service using LDAP

Why is it bad?

The problem with WDigest is that it stores passwords in memory in clear-text and it does this whether you use it or not. WDigest cannot function unless the password is kept in memory in clear-text, so its impossible to fix if you use WDigest. The following OS’s are impacted: Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008R2, and Windows Server 2012.

Example

Below is an example of running WDigest on Windows Server 2008 R2 using Meterpreter. The red arrow points to the user’s passwords, which can now be used to pivot to other machines and possibly other networks (password reuse anyone?).

Before Fix

After Fix

How to Fix it

Before disabling WDigest, first, make sure your environment isn’t using it by looking at your servers and domain controllers logs or SIEM for event id 4776 and 4624. More info can be found at the bottom of this link. I haven’t come across an app yet that uses WDigest. If you have seen WDigest still in use today, please contact me or post below. After you’ve verified WDigest isn’t in use in your environment follow the recommendations below:

Windows Server 2008: Remove WDigest from \HKLM\System\CurrentControlSet\Control\Lsa\Security Packages and then reboot the server.

Before

After removal and rebooting

 

Windows Server 2008 R2-2012, Windows 7, Windows 8: Download and install KB2871997 and then create/set UseLogonCredential = dword:00000000 in \HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest

Windows Server 2012 R2-2016: WDigest is disabled by default, do nothing 🙂

Summary

If you can, disable WDigest across your entire environment from workstations to servers to domain controllers. The fixes are fairly straight forward and work every time. Credential harvesting has been big in the past and will definitely be big in the future as seen in the Petya malware. I will soon post an article on how to stop NTLM hashes from being kept in memory, so stay tuned! If you have questions, please post below or message me directly. Thanks for reading and I hope this helps!

Sources

KB2871997

What is Digest Authentication?

Dumping WDigest Creds with Meterpreter Mimikatz/Kiwi in Windows 8.1

Leave a Reply