PowerMemory v1.3

PowerMemory v1.3 – Exploit the credentials present in files and memory.

Changelog PowerMemory v1.3:
* Power-Escalate added
* Menu modified
* Bugs correction

PowerMemory v1.3

PowerMemory v1.3

Main Menu v1.3:
What do you want assess?
1) Reveal memory passwords
2) Local escalation attempt
3) Get McAfee passwords 🙂
4) Active Directory assessment
5) Scan services network
6) Get all the Ticket (to be cracked with kerberoast)
7) Fun with Winmine
0) Exit

powermemory v1.2

powermemory v1.2

GWMD: Dump Like Microsoft

GWMD: Dump Like Microsoft

Inside Folder :
– EYLR:Elevate-YourRightsMan.ps1; For Bypass-UAC.
– GWMD: Wanna-DumpLikeMicrosoft.ps1; WMI Remote Process.
– RGPPP: Get-LocalAdminGPPAccess.ps1: get Decrypt Password.
– RWMC: Powershell – Reveal Windows Memory Credentials
– RECON: Audit a Windows Active Directory domain

Powershell – Reveal Windows Memory Credentials
The purpose of this script is to make a proof of concept of how retrieve Windows credentials with Powershell and CDB Command-Line Options (Windows Debuggers)PowerMemoryv-4

It allows to retrieve credentials from windows 2003 to 2012 and Windows 10 (it was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 – 32 and 64 bits, Windows 8 and Windows 10 Home edition).
It works even if you are on another architecture than the system targeted.
Features:
+ it’s fully PowerShell
+ it can work locally, remotely or from a dump file collected on a machine
+ it does not use the operating system .dll to locate credentials address in memory but a simple Microsoft debugger
+ it does not use the operating system .dll to decypher passwords collected –> it is does in the PowerShell (AES, TripleDES, DES-X)
+ it breaks undocumented Microsoft DES-X
+ it works even if you are on a different architecture than the target
+ it leaves no trace in memoryless

How to use it for Windows 2012R2 or Windows 10?
1) Retrieve remotely:
* Launch the script
* Local computer, Remote computer or from a dump file ? (local, remote, dump): remote [enter]
* serverName [enter]

2) From a dump: if you have to dump the lsass process of a target machine, you can execute the script with option ( ! name you lsass dump “lsass.dmp” and don’t enter the name for the option you enter, only the directory !) :
* Launch the script
* Local computer, Remote computer or from a dump file ? (local, remote, dump): dump [enter]
* d:\directory_of_the_dump [enter]

3) Locally :
* Launch the script
* Local computer, Remote computer or from a dump file ? (local, remote, dump): local [enter]

How To Install:

Download: PowerMemory.zip  | Clone Url
Source : https://github.com/giMini | Our Post Before