Powershell - Reveal Windows Memory Credentials

The purpose of this script is to make a proof of concept of how retrieve Windows credentials with Powershell and CDB Command-Line Options (Windows Debuggers)

It allows to retrieve credentials from windows 2003 to 2012 and Windows 10 (it was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 - 32 and 64 bits, Windows 8 and Windows 10 Home edition).

It works even if you are on another architecture than the system targeted.

Features

• it's fully PowerShell
• it can work locally, remotely or from a dump file collected on a machine
• it does not use the operating system .dll to locate credentials address in memory but a simple Microsoft debugger
• it does not use the operating system .dll to decypher passwords collected --> it is does in the PowerShell (AES, TripleDES, DES-X)
• it breaks undocumented Microsoft DES-X
• it works even if you are on a different architecture than the target
• it leaves no trace in memoryless

How to use it for Windows 2012R2 or Windows 10?

1) Retrieve remotely:

* Launch the script 
* Local computer, Remote computer or from a dump file ? (local, remote, dump): remote [enter]
* serverName [enter] 

2) From a dump: if you have to dump the lsass process of a target machine, you can execute the script with option ( ! name you lsass dump "lsass.dmp" and don't enter the name for the option you enter, only the directory !) :

* Launch the script 
* Local computer, Remote computer or from a dump file ? (local, remote, dump): dump [enter]
* d:\directory_of_the_dump [enter] 

3) Locally :

* Launch the script 
* Local computer, Remote computer or from a dump file ? (local, remote, dump): local [enter]

Download & read more at

Windows Powershell

Rated 4.7/5 based on 2569 reviews