jeudi 2 juillet 2015

Powershell - Reveal Windows Memory Credentials


Any actions and or activities related to the material contained within this blog is solely your responsibility.The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.

This script is published for educational use only. I am no way responsible for any misuse of the information.

This article is related to Computer Security and I am not promote hacking / cracking / software piracy.

This article is not a GUIDE of Hacking. It is only provide information about the legal ways of retrieving the passwords. You shall not misuse the information to gain unauthorised access. However you may try out these hacks on your own computer at your own risk. Performing hack attempts (without permission) on computers that you do not own is illegal.

The beginning

I looked at the work of Benjamin DELPY about his tools mimikatz.

I wanted to be able to check if it was possible to do the decryption passwords with PowerShell.

The goal was to do it with PowerShell and without any call to .dlls systems to decrypt the passwords.

What the script can do (get windows password in memory)

The script doesn't work with system .dlls to decrypt data. All the decryptions are made in the script.

The script can reveal any password from 2003 to 2012 (tested on Windows 2003, 2008R2, 2012, Windows 7 and Windows 8).

It can reveal local passwords, it can reveal passwords from a dump you took or it can reveal passwords from a remote host.

The script is a proof of concept of how retrieve Windows credentials with Powershell and CDB Command-Line Options (Windows Debuggers).

It works even if you run it on another architecture than the system targeted.

My main purpose is to prevent this type of attack against your network. To avoid these attacks, you need to understand how important it is  to segregate rights you give to people but also to SysAdmin and anyone who works on your network.

You cannot give a right before being sure it is not a breach opened on your network.

Don't give too much (administrator, debug) rights to your user.

Audit, audit, audit.


PowerShell and CDB Command-Line Options (Windows Debuggers)

Retrieve login and password in memory locally and remotely
Triple DES decryption
AES decryption
DES-X decryption

The demo
The code is quick and dirty for the POC.

   \ /\     Follow the white Rabbit :-)
   ( )
.( @ ).

Powershell - Reveal Windows Memory Credentials :

Thanks to Benjamin Delpy for his work with mimikatz and Francesco Picasso for his work on DES-X.

3 commentaires:

  1. Bonjour,
    QUels sont les pré-requis sur un poste pour tester ce script?

  2. Bonjour,

    Pour tester le script, il faut :

    * PowerShell 3.0
    * Autoriser PowerShell sur votre machine : Set-ExecutionPolicy Unrestricted -force
    * Une connexion Internet.

    Le script a été testé depuis Windows 7 et Windows 8 pour retrouver des mots de passe provenant de Windows server 2003,2008R2,2012, Windows 7 et 8

    To run effectively this script you need :

    * PowerShell 3
    * Allow PowerShell script on you machine, example : Set-ExecutionPolicy Unrestricted -force
    * An Internet connection
    The script was tested on a 7 and on a 8 machine to retrieve password from Windows Server 2003,2008R2,2012,7 and 8.