Dump credentials stored in Memory

Windows authentication system stores in memory users credentials. Windows caches user’s credentials so she can access for ex. network resources without having to enter her password constantly.

There is a tool named Windows Credentials Editor (WCE) from Amplia Security company that can be used to to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes, plaintext passwords and Kerberos tickets).

This tool can be used, for example, to perform pass-the-hash on Windows, obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.), obtain Kerberos tickets and reuse them in other Windows or Unix systems and dump cleartext passwords entered by users at logon.

Download it from Amplia Security site.

%d bloggers like this: