Categories: Breaking NewsHacking

PowerMemory, how to extract credentials present in files and memory

This post explains how to use the PowerMemory script to reveal the passwords used by users of the computers running under Windows systems.


Any actions and or activities related to the material contained within this blog is solely your responsibility.The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.
This script is published for educational use only. I am no way responsible for any misuse of the information.
This article is related to Computer Security and I am not promote hacking / cracking / software piracy.
This article is not a GUIDE of Hacking. It is only provide information about the legal ways of retrieving the passwords. You shall not misuse the information to gain unauthorised access. However you may try out these hacks on your own computer at your own risk. Performing hack attempts (without permission) on computers that you do not own is illegal.

Today I want to present a powerful script dubbed PoweMemory that allows pen testers to extract user credentials present in memory and files. PoweMemory is a script developed by Pierre-Alexandre Braeken to make a proof of concept of how retrieve Windows credentials with Powershell and CDB Command-Line Options (Windows Debuggers). It works on Windows OS from Windows 2003 to 2012 and according to the author it is able to retrieve credentials also from Windows 10.

PoweMemory was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 – 32 and 64 bits, Windows 8 and Windows 10 Home edition.

+ it’s fully PowerShell
+ it can work locally, remotely or from a dump file collected on a machine
+ it does not use the operating system .dll to locate credentials address in memory but a simple Microsoft debugger
+ it does not use the operating system .dll to decypher passwords collected –> it is does in the PowerShell (AES, TripleDES, DES-X)
+ it breaks undocumented Microsoft DES-X
+ it works even if you are on a different architecture than the target
+ it leaves no trace in memoryless


The steps necessary to use PoweMemory and retrieve user credentials are:

1) Download the tool
2) Extract the files contained in the ZIP archive
3) Execute PowerShell with Administrator Rights
4) Prepare your environment (Enter this command : “Set-ExecutionPolicy Unrestricted -force”and press Enter)
5) Open the tool into PowerShell (Browse to the place where you extract the tool you download in step 1 and click on Reveal-MemoryCredentials.ps1 and then on Open).
6) Launch the tool
7) Get password

The PowerMemory tool is available for download at MB)  | Clone Url
meanwhile its source is available on GitHub,

Pierluigi Paganini

(Security Affairs – hacking , PowerMemory)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds Microsoft Internet Explorer and Twilio Authy bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Internet Explorer and Twilio Authy bugs…

4 hours ago

China-linked APT group uses new Macma macOS backdoor version

China-linked APT group Daggerfly (aka Evasive Panda, Bronze Highland) Evasive Panda has been spotted using an…

14 hours ago

FrostyGoop ICS malware targets Ukraine

In April 2024, Dragos researchers spotted the malware FrostyGoop that interacts with Industrial Control Systems…

1 day ago

Hackers abused swap files in e-skimming attacks on Magento sites

Threat actors abused swap files in compromised Magento websites to hide credit card skimmer and…

1 day ago

US Gov sanctioned key members of the Cyber Army of Russia Reborn hacktivists group

The US government sanctioned two Russian hacktivists for their cyberattacks targeting critical infrastructure, including breaches…

2 days ago

EvilVideo, a Telegram Android zero-day allowed sending malicious APKs disguised as videos

EvilVideo is a zero-day in the Telegram App for Android that allowed attackers to send…

2 days ago

This website uses cookies.