Disclaimer
Any actions and or activities related to the material contained within this blog is solely your responsibility.The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.This article explains how to use my PowerShell tool to reveal the passwords used by users of the computers running under Windows 2003, 2008R2, 2012, 2012r2, Windows XP, 7 (32 and 64 bits) 8, and 8.1
This script is published for educational use only. I am no way responsible for any misuse of the information.
This article is related to Computer Security and I am not promote hacking / cracking / software piracy.
This article is not a GUIDE of Hacking. It is only provide information about the legal ways of retrieving the passwords. You shall not misuse the information to gain unauthorised access. However you may try out these hacks on your own computer at your own risk. Performing hack attempts (without permission) on computers that you do not own is illegal.
Steps below are :
1) Get the tool
2) Extract the files in the ZIP
3) Launch PowerShell with Administrator Rights
4) Prepare your environment
5) Open the tool into PowerShell
6) Launch the tool
7) Get Windows 7/Windows server 2008 password
1) Get the tool
The first step is to download the tool. You can got it at this Github address which is the official repository : https://github.com/giMini/RWMC
Simply click on the download ZIP button at the bottom right of the screen :
2) Extract the files in the ZIP
Right click on RWMC-master.zip you just download (we assumed you download it into d:\donwload) and then on Extract All...
Clic on Extract button
You'll get a folder RWMC-master with the tool.
The files which are in the folder :
3) Launch PowerShell with Administrator Rights
First step: update your PowerShell version on the Microsoft website: https://www.microsoft.com/en-ca/download/details.aspx?id=40855
Choose the good version :
- Windows 7 SP1
- x64: Windows6.1-KB2819745-x64-MultiPkg.msu
- x86: Windows6.1-KB2819745-x86.msu
- Windows Server 2008 R2 SP1
- x64: Windows6.1-KB2819745-x64-MultiPkg.msu
- Windows Server 2012 / Windows 8
- x64: Windows8-RT-KB2799888-x64.msu
Once your computer is up-to-date, go to C:\Windows\System32\WindowsPowerShell\v1.0 and then right click on powershell_ise.exe
PowerShell Starting...
And your PowerShell opens !
4) Prepare your environment
Enter this command : "Set-ExecutionPolicy Unrestricted -force"
and press Enter
5) Open the tool in PowerShell
Browse to the place where you extract the tool you download in step 1. In this example, it is under d:\download\RWMC-master\RWMC-master\Reveal-MemoryCredentials, click on Reveal-MemoryCredentials.ps1 and then on Open.
If all went well, you should get this result (the script is opened in PowerShell) :
6) Launch the tool
Great ! Now we can launch the script to reveal all the Windows password of the users who have logged on the machine (and the machine has not rebooted).
Click on the green arrow (or on "F5" on your keyboard)
You'll get two warnings, click Run Once each time :
If you see the white Rabbit, you passed the previous steps :-)
7) Get Windows passwords
a) At the prompt, enter the option "local" (to get the passwords on this computer)
...and get the passwords !
Finally, a window opens with all the passwords found on the machine!
b) Remotely
c) From a dump
- 1 = Windows 7 - 64 bits / 2008r2
- 132 = Windows 7 - 32 bits
- 2 = Windows 8/2012
- 2r2 = Windows 10/2012r2
- 8.1 = Windows 8.1
- 3 = Windows XP/2003
Enjoy !
\
\ /\ Follow the white Rabbit :-)
( ) Pierre-Alexandre Braeken
.( @ ).
Invoke-Item : Application not found
RépondreSupprimerAt C:\Users\Administrator\Desktop\RWMC-master\Reveal-MemoryCredentials\Reveal-MemoryCredentials.ps1:1222 char:1
+ Invoke-Item $logPathName
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Invoke-Item], Win32Exception
+ FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.PowerShell.Commands.InvokeItemCommand
Corrected (remove invoke-item, used notepad command).
SupprimerIf you download the package on github, you will get the corrected version.
ACTIVE & FRESH CC FULLZ WITH BALANCE
SupprimerPrice $5 per each CC
DETAILS
=>CARD TYPE
=>FIRST NAME & LAST NAME
=>CC NUMBER
=>EXPIRY DATE
=>CVV
=>FULL ADDRESS (ZIP CODE, CITY/TOWN, STATE)
=>PHONE NUMBER,DOB,SSN
=>MOTHER'S MAIDEN NAME
=>VERIFIED BY VISA
=>CVV2
*Time wasters & cheap questioners please stay away
*You can buy for your specific states too
*Payment in advance
Contact Us:
-->Whatsapp > +923172721122
-->Email > leads.sellers1212@gmail.com
-->Telegram > @leadsupplier
-->ICQ > 752822040
US FRESH, TESTED & VERIFIED SSN LEADS
$1 PER EACH
(INFO)
First Name | Last Name | SSN | Dob | Address | State | City | Zip | Phone Number | Account Number | Bank Name | DL Number |
Home Owner | IP Address | MMN | Income
*Hope for the long term deal
*If anyone need leads In bulk, I'll definitely negotiate
US DUMP TRACK 1 & 2 WITH PIN CODES ALSO AVAILABLE
Windows server 2012 R2
RépondreSupprimerThanks, but how can hack password remotely "another machine at the same network"
RépondreSupprimerRetrieve remotely:
SupprimerExample :
Launch the script
1) Mode (1, 132, 2, 2r2 or 3)?: 2r2 [enter]
2) [enter]
3) YourServerName [enter]
I am already try it before asked, try all mode and try put computer name also full computer name:
Supprimer===============
Please check the error:
http://im63.gulfup.com/rAwIKK.jpg
As the error said : The network path was not found. Seems the script cannot found the computer name you give.
SupprimerHow can resolve this error
SupprimerScreen shoot from System information
http://im56.gulfup.com/4W2DRe.png
Code corrected !
SupprimerNew error after Process to create on Domain is C:\Windows\temp\dp.exe lsass c:\windows\temp
RépondreSupprimerSuccessfully launched C:\Windows\temp\dp.exe lsass c:\windows\temp on Domain with a process id of 812
http://im43.gulfup.com/amviDe.jpg
The result showed only "????????" characters, could anyone help to advise ? Thx!
RépondreSupprimerWhy not use the Microsoft supported and approved Windows Sysinternals PSTools
RépondreSupprimerPsTools - https://technet.microsoft.com/en-us/sysinternals/bb896649
The PsTools suite includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.
PsExec - execute processes remotely
PsFile - shows files opened remotely
PsGetSid - display the SID of a computer or a user
PsInfo - list information about a system
PsPing - measure network performance
PsKill - kill processes by name or process ID
PsList - list detailed information about processes
PsLoggedOn - see who's logged on locally and via resource sharing (full source is included)
PsLogList - dump event log records
PsPasswd - changes account passwords
PsService - view and control services
PsShutdown - shuts down and optionally reboots a computer
PsSuspend - suspends processes
PsUptime - shows you how long a system has been running since its last reboot (PsUptime's functionality has been incorporated into PsInfo)
Hi all,
RépondreSupprimerwhen I run the scriptit stays put in: Getting Triple DES Key. Running.......
Could you help me?
Regards.
Same, here I noticed that it is trying to open another script and I see a bunch of red lines of code errors but it disappears too quickly.
SupprimerPlease download the last version here : https://github.com/giMini/RWMC
SupprimerI have the latest version and I'm still stuck on getting triple DES keys.
SupprimerNot sure if it's relevant but the how-to says the "run-once" should pop up twice. I only get one popup.
SupprimerWhat is your operating system ?
SupprimerCan you run this and post the result ?
(Get-WmiObject Win32_OperatingSystem).version
and
(Get-WmiObject Win32_OperatingSystem).OSArchitecture
On a separate PC I'm getting this error. Get-WmiObject : The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
RépondreSupprimerAt C:\RWMC-Version-0.2\Reveal-MemoryCredentials\Reveal-MemoryCredentials.ps1:644 char:29
+ $operatingSystem = (Get-WmiObject Win32_OperatingSystem -ComputerName $s ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject], COMException
+ FullyQualifiedErrorId : GetWMICOMException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
The property 'version' cannot be found on this object. Verify that the property exists.
At C:\RWMC-Version-0.2\Reveal-MemoryCredentials\Reveal-MemoryCredentials.ps1:644 char:9
+ $operatingSystem = (Get-WmiObject Win32_OperatingSystem -ComputerName $s ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], PropertyNotFoundException
+ FullyQualifiedErrorId : PropertyNotFoundStrict
Get-WmiObject : The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
At C:\RWMC-Version-0.2\Reveal-MemoryCredentials\Reveal-MemoryCredentials.ps1:645 char:29
+ $osArchitecture = (Get-WmiObject Win32_OperatingSystem -ComputerName $s ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject], COMException
+ FullyQualifiedErrorId : GetWMICOMException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
The property 'OSArchitecture' cannot be found on this object. Verify that the property exists.
At C:\RWMC-Version-0.2\Reveal-MemoryCredentials\Reveal-MemoryCredentials.ps1:645 char:9
+ $osArchitecture = (Get-WmiObject Win32_OperatingSystem -ComputerName $s ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], PropertyNotFoundException
+ FullyQualifiedErrorId : PropertyNotFoundStrict
The operating system could not be determined... terminating...
Script terminating...
================================================================================================
There are multiple reasons why this can happen. It is a configuration issue and not a script issue. Also, it would be impossible for you on this machine to query WMI object. 0x800706BA This indicates that the Remote Procedure Call service on the remote machine couldn't be contacted. Things to consider:
Supprimer* machine doesn't have WMI running
* RPC problem
* firewall problem
When I run the script I got error
RépondreSupprimerEnter menu number and press : 1
Registry key setted, you have to reboot the local computer
Script terminating...
================================================================================================
PS C:\WINDOWS\system32>
Not an error. You have juste to reboot the computer and relaunch the script.
SupprimerHi,
RépondreSupprimerThis script shows an error "This script need an internet connection to run" when executed. what does it do with internet connection ?
Thanks,
Nag
It retrieves Microsoft symbols.
SupprimerBrilliant script and great instructions! Worked a treat and showed me the administrator password but what I needed was a list of end user passwords (well one in particular) and the script doesn't seem to do this? It is a Windows 2008 R2 server but it is not part of a domain. Can you advise please. Thanks Blue
RépondreSupprimerSorted it - so sorry. It is clearly using volatile memory/caching of credentials when a user logs in but will not retrieve their password if the server has been rebooted/they haven't logged in. Makes perfect sense and a pretty impressive piece of work if I might say so! Thanks you are the man :-) Blue
RépondreSupprimeri have an error showing "The operating system could not be determined"
RépondreSupprimerWhich is your operating system ?
SupprimerI used this brilliant script in my laptop (windows 10 64bits) and it worked, I had to reboot but worked.
RépondreSupprimerHowever, in my desktop computer (same OS)it didnt. It shows "The operating system could not be determined... terminating...
Script terminating..."
I ran the script without wifi connection, but then i enabled it and ran the script again, that error was showed.
How can i solve it?
Can you post the result of this :
Supprimer1) (Get-WmiObject Win32_OperatingSystem).version
and
2) (Get-WmiObject Win32_OperatingSystem).OSArchitecture
不能对 Null 值表达式调用方法。
RépondreSupprimer所在位置 W:\打包\PowerMemory\trunk\RWMC\supportedOS\Get-InformationsFromSupportedOS.ps1:273 字符: 9
+ $lp = $lp.Substring(6,2)
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [],RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
使用“2”个参数调用“ToInt32”时发生异常:“索引超出范围。必须为非负值并小于集合大小。
参数名: startIndex”
所在位置 W:\打包\PowerMemory\trunk\RWMC\supportedOS\Get-InformationsFromSupportedOS.ps1:274 字符: 9
+ $numberBytes = [int][Math]::Ceiling([System.Convert]::ToInt32 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ArgumentOutOfRangeException
nice
RépondreSupprimer"The script need an Internet Connection to run
RépondreSupprimerScript terminating..."
Could you help me with this issue? (winodws 10, get this after I rebooted). It also broke my windows start menu
I like and suggest you to try LongPathTool program. It is very helpful for copying/deleting or renaming long path files.
RépondreSupprimerACTIVE & FRESH CC FULLZ WITH BALANCE
RépondreSupprimerPrice $5 per each CC
DETAILS
=>CARD TYPE
=>FIRST NAME & LAST NAME
=>CC NUMBER
=>EXPIRY DATE
=>CVV
=>FULL ADDRESS (ZIP CODE, CITY/TOWN, STATE)
=>PHONE NUMBER,DOB,SSN
=>MOTHER'S MAIDEN NAME
=>VERIFIED BY VISA
=>CVV2
*Time wasters & cheap questioners please stay away
*You can buy for your specific states too
*Payment in advance
Contact Us:
-->Whatsapp > +923172721122
-->Email > leads.sellers1212@gmail.com
-->Telegram > @leadsupplier
-->ICQ > 752822040
US FRESH, TESTED & VERIFIED SSN LEADS
$1 PER EACH
(INFO)
First Name | Last Name | SSN | Dob | Address | State | City | Zip | Phone Number | Account Number | Bank Name | DL Number |
Home Owner | IP Address | MMN | Income
*Hope for the long term deal
*If anyone need leads In bulk, I'll definitely negotiate
US DUMP TRACK 1 & 2 WITH PIN CODES ALSO AVAILABLE