Powershell - Reveal Windows Memory Credentials
The purpose of this script is to make a proof of concept of how retrieve Windows credentials with Powershell and CDB Command-Line Options (Windows Debuggers)
It allows to retrieve credentials from windows 2003 to 2012 and Windows 10 (it was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 - 32 and 64 bits, Windows 8 and Windows 10 Home edition).
It works even if you are on another architecture than the system targeted.
Features
- it's fully PowerShell
- it can work locally, remotely or from a dump file collected on a machine
- it does not use the operating system .dll to locate credentials address in memory but a simple Microsoft debugger
- it does not use the operating system .dll to decypher passwords collected --> it is does in the PowerShell (AES, TripleDES, DES-X)
- it breaks undocumented Microsoft DES-X
- it works even if you are on a different architecture than the target
- it leaves no trace in memoryless
How to use it for Windows 2012R2 or Windows 10?
1) Retrieve remotely:
* Launch the script
* Local computer, Remote computer or from a dump file ? (local, remote, dump): remote [enter]
* serverName [enter]
2) From a dump: if you have to dump the lsass process of a target machine, you can execute the script with option ( ! name you lsass dump "lsass.dmp" and don't enter the name for the option you enter, only the directory !) :
* Launch the script
* Local computer, Remote computer or from a dump file ? (local, remote, dump): dump [enter]
* d:\directory_of_the_dump [enter]
3) Locally :
* Launch the script
* Local computer, Remote computer or from a dump file ? (local, remote, dump): local [enter]Windows Powershell
Rated 4.7/5 based on 2569 reviews
