Image Credits: https://github.com/giMini





PowerMemory is a powerful script which allows pen testers to extract user credentials present in memory and files. This handy script is developed by Pierre-Alexandre Braeken and it explains how to retrieve Windows credentials with Powershell and CDB Command-Line Options (Windows Debuggers).





Features of PowerMemory





According to the author, It works on all versions of Windows OS i.e Windows 2003 to 2012 and also Windows 10.

PowerMemory was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 – 32 and 64 bits, Windows 8 and Windows 10 Home edition and found successful.

It has got some stunning features.









It is fully PowerShell based.

it can work locally, remotely or from a dump file collected on a machine

it does not use the operating system .dll to locate credentials address in memory but a simple Microsoft debugger

it does not use the operating system .dll to decypher passwords collected –> it is done in the PowerShell (AES, TripleDES, DES-X)

it breaks undocumented Microsoft DES-X

it works even if you are on a different architecture than the target

it leaves no trace in memory analysis.





How To Use PowerMemory And retrieve Credentials?









1) Download the tool

2) Extract the files contained in the ZIP archive

3) Execute PowerShell with Administrator Rights

4) Prepare your environment (Enter this command: “Set-ExecutionPolicy Unrestricted -force” and press Enter)

5) Open the tool into PowerShell (Browse to the place where you extract the tool you download in step 1 and click on Reveal-MemoryCredentials.ps1 and then on Open).

6) Launch the tool

7) Get password









Also Read: Windows Mount Manager Bug