PowerMemory v1.3 – Exploit the credentials present in files and memory.

Changelog PowerMemory v1.3:
* Power-Escalate added
* Menu modified
* Bugs correction

PowerMemory v1.3

Main Menu v1.3:
What do you want assess?
1) Reveal memory passwords
2) Local escalation attempt
3) Get McAfee passwords
4) Active Directory assessment
5) Scan services network
6) Get all the Ticket (to be cracked with kerberoast)
7) Fun with Winmine
0) Exit

powermemory v1.2

GWMD: Dump Like Microsoft

Inside Folder :
– EYLR:Elevate-YourRightsMan.ps1; For Bypass-UAC.
– GWMD: Wanna-DumpLikeMicrosoft.ps1; WMI Remote Process.
– RGPPP: Get-LocalAdminGPPAccess.ps1: get Decrypt Password.
– RWMC: Powershell – Reveal Windows Memory Credentials
– RECON: Audit a Windows Active Directory domain

Powershell – Reveal Windows Memory Credentials
The purpose of this script is to make a proof of concept of how retrieve Windows credentials with Powershell and CDB Command-Line Options (Windows Debuggers)

It allows to retrieve credentials from windows 2003 to 2012 and Windows 10 (it was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 – 32 and 64 bits, Windows 8 and Windows 10 Home edition).
It works even if you are on another architecture than the system targeted.
Features:
+ it’s fully PowerShell
+ it can work locally, remotely or from a dump file collected on a machine
+ it does not use the operating system .dll to locate credentials address in memory but a simple Microsoft debugger
+ it does not use the operating system .dll to decypher passwords collected –> it is does in the PowerShell (AES, TripleDES, DES-X)
+ it breaks undocumented Microsoft DES-X
+ it works even if you are on a different architecture than the target
+ it leaves no trace in memoryless

How to use it for Windows 2012R2 or Windows 10?
1) Retrieve remotely:
* Launch the script
* Local computer, Remote computer or from a dump file ? (local, remote, dump): remote [enter]
* serverName [enter]

2) From a dump: if you have to dump the lsass process of a target machine, you can execute the script with option ( ! name you lsass dump “lsass.dmp” and don’t enter the name for the option you enter, only the directory !) :
* Launch the script
* Local computer, Remote computer or from a dump file ? (local, remote, dump): dump [enter]
* d:\directory_of_the_dump [enter]

3) Locally :
* Launch the script
* Local computer, Remote computer or from a dump file ? (local, remote, dump): local [enter]

How To Install:

Download zip file, right click extract all file into your Folder
Open PowerShell ISE
Enter this command : Set-ExecutionPolicy Unrestricted -force

Download: PowerMemory.zip  | Clone Url
Source : https://github.com/giMini | Our Post Before