Today I want to present a powerful script dubbed PoweMemory that allows pen testers to extract user credentials present in memory and files. PoweMemory is a script developed by Pierre-Alexandre Braeken to make a proof of concept of how retrieve Windows credentials with Powershell and CDB Command-Line Options (Windows Debuggers). It works on Windows OS from Windows 2003 to 2012 and according to the author it is able to retrieve credentials also from Windows 10.
PoweMemory was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 – 32 and 64 bits, Windows 8 and Windows 10 Home edition.
Features:
+ it’s fully PowerShell
+ it can work locally, remotely or from a dump file collected on a machine
+ it does not use the operating system .dll to locate credentials address in memory but a simple Microsoft debugger
+ it does not use the operating system .dll to decypher passwords collected –> it is does in the PowerShell (AES, TripleDES, DES-X)
+ it breaks undocumented Microsoft DES-X
+ it works even if you are on a different architecture than the target
+ it leaves no trace in memoryless
The steps necessary to use PoweMemory and retrieve user credentials are:
1) Download the tool
2) Extract the files contained in the ZIP archive
3) Execute PowerShell with Administrator Rights
4) Prepare your environment (Enter this command : “Set-ExecutionPolicy Unrestricted -force”and press Enter)
5) Open the tool into PowerShell (Browse to the place where you extract the tool you download in step 1 and click on Reveal-MemoryCredentials.ps1 and then on Open).
6) Launch the tool
7) Get password
The PowerMemory tool is available for download at PowerMemory.zip(1.32 MB) | Clone Url
meanwhile its source is available on GitHub https://github.com/giMini,
(Security Affairs – hacking , PowerMemory)