Hacking Tools e

Published on January 3rd, 2017 | 864 views Post Views

Exploit the Credentials Present in Files and Memory: PowerMemory

PowerMemory is a PowerShell post-exploitation tool. It uses Microsoft binaries and therefore is able to execute on a machine, even after the Device Guard Policies have been set. In the same way, it will bypass antivirus detection. PowerMemory can retrieve credentials information and manipulate memory. It can execute shellcode and modify process in memory (in userland and kernel land as a rootkit). PowerMemory will access everywhere in user-land and kernel-land by using the trusted Microsoft debugger aka cdb.exe which is digitally signed.

PoweMemory was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 – 32 and 64 bits, Windows 8 and Windows 10 Home edition.

 

Features:

  • fully PowerShell
  • it can work locally, remotely or from a dump file collected on a machine
  • it does not use the operating system .dll to locate credentials address in memory but a simple Microsoft debugger
  • it does not use the operating system .dll to decypher passwords collected –> it is does in the PowerShell (AES, TripleDES, DES-X)
  • it breaks undocumented Microsoft DES-X
  • it works even if you are on a different architecture than the target
  • it leaves no trace in memoryless

 

How to use it for Windows 2012R2 or Windows 10?

1) Retrieve remotely:

* Launch the script 
* Local computer, Remote computer or from a dump file ? (local, remote, dump): remote [enter]
* serverName [enter] 

2) From a dump: if you have to dump the lsass process of a target machine, you can execute the script with option ( ! name you lsass dump “lsass.dmp” and don’t enter the name for the option you enter, only the directory !) :

* Launch the script 
* Local computer, Remote computer or from a dump file ? (local, remote, dump): dump [enter]
* d:\directory_of_the_dump [enter] 

3) Locally :

* Launch the script 
* Local computer, Remote computer or from a dump file ? (local, remote, dump): local [enter]

▼Advertisements

Never ever give administrator access to your user

Always audit what you sysadmin or provider are doing on your systems To run effectively this script you need two things :

 

To run effectively this script you need :
  • PowerShell 3
  • Allow PowerShell script on you machine, example : Set-ExecutionPolicy Unrestricted -force
  • An Internet connection
  • The script was tested on a 7 and on a 8 machine to retrieve password from Windows Server 2003,2008R2,2012,2012R2,7 and 8 and 10.

 

Get local Administrator password from Group Policy Preferences

Launch Get-LocalAdminGPPAccess.ps1 script

 

https://github.com/giMini/PowerMemory

Share on Facebook0Share on Google+1Tweet about this on TwitterShare on Reddit0Email this to someonePrint this pageShare on StumbleUpon0Digg thisPin on Pinterest0Share on LinkedIn5











Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ↑

You Might Also Like:
The Social-Engineer Toolkit (SET) v6.0 “Rebellion” Released

the latest release of SET v6.0 codename “Rebellion” is available https://github.com/trustedsec/social-engineer-toolkit/. This version expands on many of the attack vectors...

Close