samedi 25 juillet 2015

How to reveal Windows password ?

Hi !
Disclaimer
Any actions and or activities related to the material contained within this blog is solely your responsibility.The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.
This script is published for educational use only. I am no way responsible for any misuse of the information.
This article is related to Computer Security and I am not promote hacking / cracking / software piracy.
This article is not a GUIDE of Hacking. It is only provide information about the legal ways of retrieving the passwords. You shall not misuse the information to gain unauthorised access. However you may try out these hacks on your own computer at your own risk. Performing hack attempts (without permission) on computers that you do not own is illegal.
This article explains how to use my PowerShell tool to reveal the passwords used by users of the computers running under Windows 2003, 2008R2, 2012, 2012r2, Windows XP, 7 (32 and 64 bits) 8, and 8.1

Steps below are :
1) Get the tool
2) Extract the files in the ZIP
3) Launch PowerShell with Administrator Rights
4) Prepare your environment
5) Open the tool into PowerShell
6) Launch the tool
7) Get Windows 7/Windows server 2008 password

1) Get the tool

The first step is to download the tool. You can got it at this Github address which is the official repository : https://github.com/giMini/RWMC

Simply click on the download ZIP button at the bottom right of the screen :


2) Extract the files in the ZIP

Right click on RWMC-master.zip you just download (we assumed you download it into d:\donwload) and then on Extract All...


Clic on Extract button


You'll get a folder RWMC-master with the tool.

The files which are in the folder :

3) Launch PowerShell with Administrator Rights

First step: update your PowerShell version on the Microsoft website: https://www.microsoft.com/en-ca/download/details.aspx?id=40855

Choose the good version :
  • Windows 7 SP1
    • x64: Windows6.1-KB2819745-x64-MultiPkg.msu
    • x86: Windows6.1-KB2819745-x86.msu
  • Windows Server 2008 R2 SP1
    • x64: Windows6.1-KB2819745-x64-MultiPkg.msu
  • Windows Server 2012 / Windows 8
    • x64: Windows8-RT-KB2799888-x64.msu



Once your computer is up-to-date, go to C:\Windows\System32\WindowsPowerShell\v1.0 and then right click on powershell_ise.exe



PowerShell Starting...


And your PowerShell opens !



4) Prepare your environment

Enter this command : "Set-ExecutionPolicy Unrestricted -force"
and press Enter




5) Open the tool in PowerShell

Browse to the place where you extract the tool you download in step 1. In this example, it is under d:\download\RWMC-master\RWMC-master\Reveal-MemoryCredentials, click on Reveal-MemoryCredentials.ps1 and then on Open.


If all went well, you should get this result (the script is opened in PowerShell) : 



6) Launch the tool

Great ! Now we can launch the script to reveal all the Windows password of the users who have logged on the machine (and the machine has not rebooted).

Click on the green arrow (or on "F5" on your keyboard)



You'll get two warnings, click Run Once each time :





If you see the white Rabbit, you passed the previous steps :-)



7) Get Windows passwords

a) At the prompt, enter the option "local" (to get the passwords on this computer)


...and get the passwords !




Finally, a window opens with all the passwords found on the machine!


b) Remotely



c) From a dump


  • 1 = Windows 7 - 64 bits / 2008r2
  • 132 = Windows 7 - 32 bits
  • 2 = Windows 8/2012
  • 2r2 = Windows 10/2012r2
  • 8.1 = Windows 8.1
  • 3 = Windows XP/2003

Enjoy !


 \
   \ /\   Follow the white Rabbit :-)
   ( )       Pierre-Alexandre Braeken
.( @ ). 












34 commentaires:

  1. Invoke-Item : Application not found
    At C:\Users\Administrator\Desktop\RWMC-master\Reveal-MemoryCredentials\Reveal-MemoryCredentials.ps1:1222 char:1
    + Invoke-Item $logPathName
    + ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Invoke-Item], Win32Exception
    + FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.PowerShell.Commands.InvokeItemCommand

    RépondreSupprimer
    Réponses
    1. Corrected (remove invoke-item, used notepad command).

      If you download the package on github, you will get the corrected version.

      Supprimer
  2. Thanks, but how can hack password remotely "another machine at the same network"

    RépondreSupprimer
    Réponses
    1. Retrieve remotely:

      Example :
      Launch the script


      1) Mode (1, 132, 2, 2r2 or 3)?: 2r2 [enter]
      2) [enter]
      3) YourServerName [enter]

      Supprimer
    2. I am already try it before asked, try all mode and try put computer name also full computer name:
      ===============
      Please check the error:
      http://im63.gulfup.com/rAwIKK.jpg

      Supprimer
    3. As the error said : The network path was not found. Seems the script cannot found the computer name you give.

      Supprimer
    4. How can resolve this error

      Screen shoot from System information
      http://im56.gulfup.com/4W2DRe.png

      Supprimer
  3. New error after Process to create on Domain is C:\Windows\temp\dp.exe lsass c:\windows\temp
    Successfully launched C:\Windows\temp\dp.exe lsass c:\windows\temp on Domain with a process id of 812

    http://im43.gulfup.com/amviDe.jpg

    RépondreSupprimer
  4. The result showed only "????????" characters, could anyone help to advise ? Thx!

    RépondreSupprimer
  5. Why not use the Microsoft supported and approved Windows Sysinternals PSTools

    PsTools - https://technet.microsoft.com/en-us/sysinternals/bb896649
    The PsTools suite includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.

    PsExec - execute processes remotely
    PsFile - shows files opened remotely
    PsGetSid - display the SID of a computer or a user
    PsInfo - list information about a system
    PsPing - measure network performance
    PsKill - kill processes by name or process ID
    PsList - list detailed information about processes
    PsLoggedOn - see who's logged on locally and via resource sharing (full source is included)
    PsLogList - dump event log records
    PsPasswd - changes account passwords
    PsService - view and control services
    PsShutdown - shuts down and optionally reboots a computer
    PsSuspend - suspends processes
    PsUptime - shows you how long a system has been running since its last reboot (PsUptime's functionality has been incorporated into PsInfo)

    RépondreSupprimer
  6. Hi all,
    when I run the scriptit stays put in: Getting Triple DES Key. Running.......

    Could you help me?

    Regards.

    RépondreSupprimer
    Réponses
    1. Same, here I noticed that it is trying to open another script and I see a bunch of red lines of code errors but it disappears too quickly.

      Supprimer
    2. Please download the last version here : https://github.com/giMini/RWMC

      Supprimer
    3. I have the latest version and I'm still stuck on getting triple DES keys.

      Supprimer
    4. Not sure if it's relevant but the how-to says the "run-once" should pop up twice. I only get one popup.

      Supprimer
    5. What is your operating system ?

      Can you run this and post the result ?

      (Get-WmiObject Win32_OperatingSystem).version

      and

      (Get-WmiObject Win32_OperatingSystem).OSArchitecture

      Supprimer
  7. On a separate PC I'm getting this error. Get-WmiObject : The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
    At C:\RWMC-Version-0.2\Reveal-MemoryCredentials\Reveal-MemoryCredentials.ps1:644 char:29
    + $operatingSystem = (Get-WmiObject Win32_OperatingSystem -ComputerName $s ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [Get-WmiObject], COMException
    + FullyQualifiedErrorId : GetWMICOMException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

    The property 'version' cannot be found on this object. Verify that the property exists.
    At C:\RWMC-Version-0.2\Reveal-MemoryCredentials\Reveal-MemoryCredentials.ps1:644 char:9
    + $operatingSystem = (Get-WmiObject Win32_OperatingSystem -ComputerName $s ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

    Get-WmiObject : The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
    At C:\RWMC-Version-0.2\Reveal-MemoryCredentials\Reveal-MemoryCredentials.ps1:645 char:29
    + $osArchitecture = (Get-WmiObject Win32_OperatingSystem -ComputerName $s ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [Get-WmiObject], COMException
    + FullyQualifiedErrorId : GetWMICOMException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

    The property 'OSArchitecture' cannot be found on this object. Verify that the property exists.
    At C:\RWMC-Version-0.2\Reveal-MemoryCredentials\Reveal-MemoryCredentials.ps1:645 char:9
    + $osArchitecture = (Get-WmiObject Win32_OperatingSystem -ComputerName $s ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

    The operating system could not be determined... terminating...
    Script terminating...
    ================================================================================================

    RépondreSupprimer
    Réponses
    1. There are multiple reasons why this can happen. It is a configuration issue and not a script issue. Also, it would be impossible for you on this machine to query WMI object. 0x800706BA This indicates that the Remote Procedure Call service on the remote machine couldn't be contacted. Things to consider:

      * machine doesn't have WMI running
      * RPC problem
      * firewall problem

      Supprimer
  8. When I run the script I got error


    Enter menu number and press : 1
    Registry key setted, you have to reboot the local computer
    Script terminating...
    ================================================================================================

    PS C:\WINDOWS\system32>

    RépondreSupprimer
    Réponses
    1. Not an error. You have juste to reboot the computer and relaunch the script.

      Supprimer
  9. Hi,

    This script shows an error "This script need an internet connection to run" when executed. what does it do with internet connection ?

    Thanks,
    Nag

    RépondreSupprimer
  10. Brilliant script and great instructions! Worked a treat and showed me the administrator password but what I needed was a list of end user passwords (well one in particular) and the script doesn't seem to do this? It is a Windows 2008 R2 server but it is not part of a domain. Can you advise please. Thanks Blue

    RépondreSupprimer
  11. Sorted it - so sorry. It is clearly using volatile memory/caching of credentials when a user logs in but will not retrieve their password if the server has been rebooted/they haven't logged in. Makes perfect sense and a pretty impressive piece of work if I might say so! Thanks you are the man :-) Blue

    RépondreSupprimer
  12. i have an error showing "The operating system could not be determined"

    RépondreSupprimer
  13. I used this brilliant script in my laptop (windows 10 64bits) and it worked, I had to reboot but worked.
    However, in my desktop computer (same OS)it didnt. It shows "The operating system could not be determined... terminating...
    Script terminating..."
    I ran the script without wifi connection, but then i enabled it and ran the script again, that error was showed.
    How can i solve it?

    RépondreSupprimer
    Réponses
    1. Can you post the result of this :

      1) (Get-WmiObject Win32_OperatingSystem).version
      and
      2) (Get-WmiObject Win32_OperatingSystem).OSArchitecture

      Supprimer
  14. Ce commentaire a été supprimé par un administrateur du blog.

    RépondreSupprimer
  15. 不能对 Null 值表达式调用方法。
    所在位置 W:\打包\PowerMemory\trunk\RWMC\supportedOS\Get-InformationsFromSupportedOS.ps1:273 字符: 9
    + $lp = $lp.Substring(6,2)
    + ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [],RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

    使用“2”个参数调用“ToInt32”时发生异常:“索引超出范围。必须为非负值并小于集合大小。
    参数名: startIndex”
    所在位置 W:\打包\PowerMemory\trunk\RWMC\supportedOS\Get-InformationsFromSupportedOS.ps1:274 字符: 9
    + $numberBytes = [int][Math]::Ceiling([System.Convert]::ToInt32 ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentOutOfRangeException

    RépondreSupprimer
  16. "The script need an Internet Connection to run
    Script terminating..."

    Could you help me with this issue? (winodws 10, get this after I rebooted). It also broke my windows start menu

    RépondreSupprimer