PowerMemory v-0.4 released - Exploit the credentials present in files and memory.

PowerMemory v-0.4 released – Exploit the credentials present in files and memory.

Latest Change 28/11/2015;
+ RWMCRS VERSION-2 : Reveal Windows Memory Credentials from a Root Shell
+ Reveal credentials from Windows Memory version 4.
+ Scan-SPN.ps1 : Scan services in a windows domain with SPN
+ bufferCommand.txt : RWMCRS added
+ Utils.ps1 : Set-RegistryKey allows for the configuration of a registry setting.
+ RECON : RWMCRS added.

GWMD: Dump Like Microsoft

GWMD: Dump Like Microsoft

Inside Folder :
– EYLR:Elevate-YourRightsMan.ps1; For Bypass-UAC.
– GWMD: Wanna-DumpLikeMicrosoft.ps1; WMI Remote Process.
– RGPPP: Get-LocalAdminGPPAccess.ps1: get Decrypt Password.
– RWMC: Powershell – Reveal Windows Memory Credentials

Powershell – Reveal Windows Memory Credentials
The purpose of this script is to make a proof of concept of how retrieve Windows credentials with Powershell and CDB Command-Line Options (Windows Debuggers)PowerMemoryv-4

It allows to retrieve credentials from windows 2003 to 2012 and Windows 10 (it was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 – 32 and 64 bits, Windows 8 and Windows 10 Home edition).
It works even if you are on another architecture than the system targeted.
Features:
+ it’s fully PowerShell
+ it can work locally, remotely or from a dump file collected on a machine
+ it does not use the operating system .dll to locate credentials address in memory but a simple Microsoft debugger
+ it does not use the operating system .dll to decypher passwords collected –> it is does in the PowerShell (AES, TripleDES, DES-X)
+ it breaks undocumented Microsoft DES-X
+ it works even if you are on a different architecture than the target
+ it leaves no trace in memoryless

How to use it for Windows 2012R2 or Windows 10?
1) Retrieve remotely:
* Launch the script
* Local computer, Remote computer or from a dump file ? (local, remote, dump): remote [enter]
* serverName [enter]

2) From a dump: if you have to dump the lsass process of a target machine, you can execute the script with option ( ! name you lsass dump “lsass.dmp” and don’t enter the name for the option you enter, only the directory !) :
* Launch the script
* Local computer, Remote computer or from a dump file ? (local, remote, dump): dump [enter]
* d:\directory_of_the_dump [enter]

3) Locally :
* Launch the script
* Local computer, Remote computer or from a dump file ? (local, remote, dump): local [enter]

How To Install:

Download: PowerMemory.zip(14.2 MB)  | Clone Url
Source : https://github.com/giMini | Our Post Before