[Gutl-l] Fw: Powershell - Reveal Windows Memory Credentials [The World of IT & Cyber Security: ehacking.net]

Wed, 10 Feb 2016 08:05:53 -0800 

jeje, sabrosura

----- Forwarded message from Salcocho Noticioso <feedblas...@hcg.sld.cu> -----

   Date: Tue, 09 Feb 2016 23:09:13 -0500
   From: Salcocho Noticioso <feedblas...@hcg.sld.cu>
   To: laz...@hcg.sld.cu
   Subject: Powershell - Reveal Windows Memory Credentials [The World of IT & 
Cyber Security: ehacking.net]
   X-Mailer: feedblaster.rb - ruby 2.3.0p0 (2015-12-25 revision 53290) 
[x86_64-linux]

Powershell - Reveal Windows Memory Credentials

The purpose of this script is to make a proof of concept of how retrieve
Windows credentials with Powershell and CDB Command-Line Options (Windows
Debuggers)
It allows to retrieve credentials from windows 2003 to 2012 and Windows 10 (it
was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 - 32 and 64 bits,
Windows 8 and Windows 10 Home edition).
It works even if you are on another architecture than the system targeted.

Features

  • it's fully PowerShell
  • it can work locally, remotely or from a dump file collected on a machine
  • it does not use the operating system .dll to locate credentials address in
    memory but a simple Microsoft debugger
  • it does not use the operating system .dll to decypher passwords collected
    --> it is does in the PowerShell (AES, TripleDES, DES-X)
  • it breaks undocumented Microsoft DES-X
  • it works even if you are on a different architecture than the target
  • it leaves no trace in memoryless

[rwmc1]

How to use it for Windows 2012R2 or Windows 10?

1) Retrieve remotely:

* Launch the script
* Local computer, Remote computer or from a dump file ? (local, remote, dump): 
remote [enter]
* serverName [enter]

2) From a dump: if you have to dump the lsass process of a target machine, you
can execute the script with option ( ! name you lsass dump "lsass.dmp" and
don't enter the name for the option you enter, only the directory !) :

* Launch the script
* Local computer, Remote computer or from a dump file ? (local, remote, dump): 
dump [enter]
* d:\directory_of_the_dump [enter]

3) Locally :

* Launch the script
* Local computer, Remote computer or from a dump file ? (local, remote, dump): 
local [enter]

Download & read more at

Windows Powershell
Rated 4.7/5 based on 2569 reviews
[ehacking] [ehacking] [ehacking] [ehacking] [ehacking] [ehacking] [ehacking]
[ehacking] [ehacking]
*

----- End forwarded message -----

-- 
-------- Warning! ------------
100'000 pelos de escoba fueron
introducidos satisfactoriamente
en su puerto USB.


______________________________________________________________________
Lista de correos del Grupo de Usuarios de Tecnologías Libres de Cuba.
Gutl-l@jovenclub.cu
https://listas.jovenclub.cu/cgi-bin/mailman/listinfo/gutl-l

Responder a