PowerMemory, how to extract credentials present in files and memory

Pierluigi Paganini August 31, 2015

This post explains how to use the PowerMemory script to reveal the passwords used by users of the computers running under Windows systems.


Any actions and or activities related to the material contained within this blog is solely your responsibility.The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.
This script is published for educational use only. I am no way responsible for any misuse of the information.
This article is related to Computer Security and I am not promote hacking / cracking / software piracy.
This article is not a GUIDE of Hacking. It is only provide information about the legal ways of retrieving the passwords. You shall not misuse the information to gain unauthorised access. However you may try out these hacks on your own computer at your own risk. Performing hack attempts (without permission) on computers that you do not own is illegal.

Today I want to present a powerful script dubbed PoweMemory that allows pen testers to extract user credentials present in memory and files. PoweMemory is a script developed by Pierre-Alexandre Braeken to make a proof of concept of how retrieve Windows credentials with Powershell and CDB Command-Line Options (Windows Debuggers). It works on Windows OS from Windows 2003 to 2012 and according to the author it is able to retrieve credentials also from Windows 10.

PoweMemory was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 – 32 and 64 bits, Windows 8 and Windows 10 Home edition.

+ it’s fully PowerShell
+ it can work locally, remotely or from a dump file collected on a machine
+ it does not use the operating system .dll to locate credentials address in memory but a simple Microsoft debugger
+ it does not use the operating system .dll to decypher passwords collected –> it is does in the PowerShell (AES, TripleDES, DES-X)
+ it breaks undocumented Microsoft DES-X
+ it works even if you are on a different architecture than the target
+ it leaves no trace in memoryless



The steps necessary to use PoweMemory and retrieve user credentials are:

1) Download the tool
2) Extract the files contained in the ZIP archive
3) Execute PowerShell with Administrator Rights
4) Prepare your environment (Enter this command : “Set-ExecutionPolicy Unrestricted -force”and press Enter)
5) Open the tool into PowerShell (Browse to the place where you extract the tool you download in step 1 and click on Reveal-MemoryCredentials.ps1 and then on Open).
6) Launch the tool
7) Get password

resultWindows8 PowerMemory

The PowerMemory tool is available for download at PowerMemory.zip(1.32 MB)  | Clone Url
meanwhile its source is available on GitHub https://github.com/giMini,

Pierluigi Paganini

(Security Affairs – hacking , PowerMemory)

you might also like

leave a comment