jeje, sabrosura ----- Forwarded message from Salcocho Noticioso <feedblas...@hcg.sld.cu> -----
Date: Tue, 09 Feb 2016 23:09:13 -0500 From: Salcocho Noticioso <feedblas...@hcg.sld.cu> To: laz...@hcg.sld.cu Subject: Powershell - Reveal Windows Memory Credentials [The World of IT & Cyber Security: ehacking.net] X-Mailer: feedblaster.rb - ruby 2.3.0p0 (2015-12-25 revision 53290) [x86_64-linux] Powershell - Reveal Windows Memory Credentials The purpose of this script is to make a proof of concept of how retrieve Windows credentials with Powershell and CDB Command-Line Options (Windows Debuggers) It allows to retrieve credentials from windows 2003 to 2012 and Windows 10 (it was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 - 32 and 64 bits, Windows 8 and Windows 10 Home edition). It works even if you are on another architecture than the system targeted. Features • it's fully PowerShell • it can work locally, remotely or from a dump file collected on a machine • it does not use the operating system .dll to locate credentials address in memory but a simple Microsoft debugger • it does not use the operating system .dll to decypher passwords collected --> it is does in the PowerShell (AES, TripleDES, DES-X) • it breaks undocumented Microsoft DES-X • it works even if you are on a different architecture than the target • it leaves no trace in memoryless [rwmc1] How to use it for Windows 2012R2 or Windows 10? 1) Retrieve remotely: * Launch the script * Local computer, Remote computer or from a dump file ? (local, remote, dump): remote [enter] * serverName [enter] 2) From a dump: if you have to dump the lsass process of a target machine, you can execute the script with option ( ! name you lsass dump "lsass.dmp" and don't enter the name for the option you enter, only the directory !) : * Launch the script * Local computer, Remote computer or from a dump file ? (local, remote, dump): dump [enter] * d:\directory_of_the_dump [enter] 3) Locally : * Launch the script * Local computer, Remote computer or from a dump file ? (local, remote, dump): local [enter] Download & read more at Windows Powershell Rated 4.7/5 based on 2569 reviews [ehacking] [ehacking] [ehacking] [ehacking] [ehacking] [ehacking] [ehacking] [ehacking] [ehacking] * ----- End forwarded message ----- -- -------- Warning! ------------ 100'000 pelos de escoba fueron introducidos satisfactoriamente en su puerto USB. ______________________________________________________________________ Lista de correos del Grupo de Usuarios de Tecnologías Libres de Cuba. Gutl-l@jovenclub.cu https://listas.jovenclub.cu/cgi-bin/mailman/listinfo/gutl-l