Published on January 3rd, 2017 | 1,064 views
Exploit the Credentials Present in Files and Memory: PowerMemory
PowerMemory is a PowerShell post-exploitation tool. It uses Microsoft binaries and therefore is able to execute on a machine, even after the Device Guard Policies have been set. In the same way, it will bypass antivirus detection. PowerMemory can retrieve credentials information and manipulate memory. It can execute shellcode and modify process in memory (in userland and kernel land as a rootkit). PowerMemory will access everywhere in user-land and kernel-land by using the trusted Microsoft debugger aka cdb.exe which is digitally signed.
PoweMemory was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 – 32 and 64 bits, Windows 8 and Windows 10 Home edition.
- fully PowerShell
- it can work locally, remotely or from a dump file collected on a machine
- it does not use the operating system .dll to locate credentials address in memory but a simple Microsoft debugger
- it does not use the operating system .dll to decypher passwords collected –> it is does in the PowerShell (AES, TripleDES, DES-X)
- it breaks undocumented Microsoft DES-X
- it works even if you are on a different architecture than the target
- it leaves no trace in memoryless
How to use it for Windows 2012R2 or Windows 10?
1) Retrieve remotely:
* Launch the script * Local computer, Remote computer or from a dump file ? (local, remote, dump): remote [enter] * serverName [enter]
2) From a dump: if you have to dump the lsass process of a target machine, you can execute the script with option ( ! name you lsass dump “lsass.dmp” and don’t enter the name for the option you enter, only the directory !) :
* Launch the script * Local computer, Remote computer or from a dump file ? (local, remote, dump): dump [enter] * d:\directory_of_the_dump [enter]
3) Locally :
* Launch the script * Local computer, Remote computer or from a dump file ? (local, remote, dump): local [enter]
Never ever give administrator access to your user
Always audit what you sysadmin or provider are doing on your systems To run effectively this script you need two things :
To run effectively this script you need :
- PowerShell 3
- Allow PowerShell script on you machine, example : Set-ExecutionPolicy Unrestricted -force
- An Internet connection
- The script was tested on a 7 and on a 8 machine to retrieve password from Windows Server 2003,2008R2,2012,2012R2,7 and 8 and 10.
Get local Administrator password from Group Policy Preferences
Launch Get-LocalAdminGPPAccess.ps1 script