PowerMemory is a powerful script which allows pen testers to extract user credentials present in memory and files. This handy script is developed by Pierre-Alexandre Braeken and it  explains how to retrieve Windows credentials with Powershell and CDB Command-Line Options (Windows Debuggers). 

Features of PowerMemory

According to the author It works on all versions of Windows OS i.e Windows 2003 to 2012 and also Windows 10.
PowerMemory was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 – 32 and 64 bits, Windows 8 and Windows 10 Home edition and found successful.
It has got some stunning features.

  • It is fully PowerShell based. 
  • it can work locally, remotely or from a dump file collected on a machine
  • it does not use the operating system .dll to locate credentials address in memory but a simple Microsoft debugger
  • it does not use the operating system .dll to decypher passwords collected –> it is does in the PowerShell (AES, TripleDES, DES-X)
  • it breaks undocumented Microsoft DES-X
  • it works even if you are on a different architecture than the target
  • it leaves no trace in memory analysis.

How To Use PowerMemory And retrieve Credentials?

1) Download the tool
2) Extract the files contained in the ZIP archive
3) Execute PowerShell with Administrator Rights
4) Prepare your environment (Enter this command : “Set-ExecutionPolicy Unrestricted -force”and press Enter)
5) Open the tool into PowerShell (Browse to the place where you extract the tool you download in step 1 and click on Reveal-MemoryCredentials.ps1 and then on Open).
6) Launch the tool
7) Get password

The PowerMemory tool is available for download at PowerMemory.zip(1.32 MB)
 Source is available on GitHub https://github.com/giMini

Post a Comment