PowerMemory is FOSS yet powerful script which allows pen testers to extract user credentials present in memory and files using PowerShell in Windows
PowerMemory is a powerful script which allows pen testers to extract user credentials present in memory and files. This handy script is developed by Pierre-Alexandre Braeken and it explains how to retrieve Windows credentials with Powershell and CDB Command-Line Options (Windows Debuggers).
Features of PowerMemory
According to the author, It works on all versions of Windows OS i.e Windows 2003 to 2012 and also Windows 10.
PowerMemory was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 – 32 and 64 bits, Windows 8 and Windows 10 Home edition and found successful.
PowerMemory was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 – 32 and 64 bits, Windows 8 and Windows 10 Home edition and found successful.
It has got some stunning features.
Types of Attacks possible using PowerMemory
User land attacks
PowerMemory interacts with the Debugger via PowerShell after it has been initialized.
Features of User Land Attacks
- It is entirely written in PowerShell.
- It can function both locally and remotely.
- It can obtain virtual machine passwords despite not having access to them (works for Hyper-V and VMware)
- It uses a Microsoft Signed Debugger rather than the operating system.dll to locate the credentials address in memory.
- It does not decrypt passwords collected using the operating system's.dll.
- PowerMemory maps the memory keys and cracks everything by itself (AES, TripleDES, DES-X)
- It can break undocumented DES-X from Microsoft
- It works even if you are on a different architecture than the target architecture, and it leaves no memory traces.
- It has the ability to manipulate memory in order to fool software and operating systems.
- It can write memory to execute shellcode without making any API calls; it only sends bytes to write at specific addresses.
- PowerShell Empire has been integrated
Advanced shellcode creation
- PowerMemory executes code without the use of an API by injecting bytes into a remote process.
Attacks on hypervisors
A hypervisor (VMWare or Microsoft Hyper-v) operator who has no access to the Virtual Machines managed by the Hypervisor is the most powerful person in any organisation. PowerMemory can obtain the passwords for all Virtual Machines and use the concept to obtain Domain Admin credentials.
Kernel land Attacks
PowerMemory modifies Kernel structures in order to take advantage of the Operating System's capabilities in order to achieve advanced persistence or elevate our privileges.
Weaponization in the real world
You can leave Wonder Land and launch a crafted advanced attack with PowerShell Empire as the vector using the module that is currently being integrated.
How To Use PowerMemory And retrieve Credentials?
- Download the tool
- Extract the files contained in the ZIP archive
- Execute PowerShell with Administrator Rights
- Prepare your environment (Enter this command: “Set-ExecutionPolicy Unrestricted -force” and press Enter)
- Open the tool into PowerShell (Browse to the place where you extract the tool you download in step 1 and click on Reveal-MemoryCredentials.ps1 and then on Open).
- Launch the tool
- Get password
Also Read: Windows Mount Manager Bug
COMMENTS