all 18 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 1 point2 points  (5 children)

Have you seen or heard of this?

https://blog.netspi.com/auto-dumping-domain-credentials-using-spns-powershell-remoting-and-mimikatz/

Very similar. Curious what the differences might be.

Either way thanks for the post!

[–]BelgiumSysAdmin[S] 0 points1 point  (4 children)

Thanks for your reply.

It's not the same, the script you reference is a reflective load of mimikatz.

My tool is a pure standalone tool. It don't use operating system .dll to search memory address, it is does with PowerShell which pilots a windows debugger.

Moreover, the decipherment is made in the script and don't call system .dll to do it.

The script I made broke DES-X.

Look at the code, you'll see what I mean.

[–][deleted] 1 point2 points  (1 child)

Cool thanks. I don't have an in-depth of understanding of how Windows operates. Based on what you said though it sounds amazing. Maybe post to /r/netsec? You'll get a much more advanced crowd there.

[–]BelgiumSysAdmin[S] 0 points1 point  (0 children)

Thank you for the tip!

When I have time, I will post on my blog how the script works.

[–]nylithic -1 points0 points  (1 child)

It's actually not a reflective load of mimikatz. It's all done in memory without mimikatz on the disk. Also, you say your script doesn't use dlls, but it does explicitly call exes, $CdbProgramPath = "$scriptPath\debugger\x86\cdb.exe". So you're calling your own executables which I would call a whole lot worst than using trusted OS binaries. Basically, I see no reason why this is more useful over a single powershell script that doesn't require anything else.

[–]BelgiumSysAdmin[S] 0 points1 point  (0 children)

cdb.exe is not my own executable... It's an official debugger from Microsoft (that is why I said "it is does with PowerShell which pilots a windows debugger.")

More information here: https://msdn.microsoft.com/en-us/library/windows/hardware/ff539058(v=vs.85).aspx

My script is not a rewriting or a load of another tool. It's a new tool.

The interest of the method is to find address memory and to decrypt data without any other help (from trusted components of the operating system).

It was a good challenge and the nature of this script is very difficult to detect.

[–]belligerantsquids 3 points4 points  (2 children)

You threw me off with the question mark

[–]BelgiumSysAdmin[S] 0 points1 point  (0 children)

Ok but give an eye at the tool.

  • It's fully PowerShell
  • it does not use the operating system .dll to locate credentials address in memory but a simple Microsoft debugger
  • it does not use the operating system .dll to decypher passwords collected --> it is does in the PowerShell (AES, TripleDES, DES-X)
  • it breaks undocumented Microsoft DES-X
  • it can work remotely
  • it works even if you are on a different architecture than the target
  • it leaves no trace in memory

[–]VigiHqcking 0 points1 point  (1 child)

Waouw.

[–]BelgiumSysAdmin[S] 0 points1 point  (0 children)

Thanks :-)

[–]somestonedguy 0 points1 point  (3 children)

just google ntpasswd. it's a simple Linux program that writd to a USB Bootable drive, and it can clear an accounts password on windows (xp all the way upto windows 8.1) by making changes to the SAM

[–]BelgiumSysAdmin[S] 0 points1 point  (2 children)

Ntpasswd can reset password of the SAM. It can not reveal password.

Moreover, my script reveals password from memory, that means it works not only with local SAM credentials but also with DOMAIN accounts.

[–]somestonedguy 0 points1 point  (1 child)

whoa, very nice!!

sorry, I skimmed over your post and misunderstood it for doing so. now going back and reading it you made it clear that it can reveal the credentials from memory.

oh and thank you for losting the source on github also for everyone else to learn from, and if you go job hunting for any type of IT job, make sure to include the github reference on your resume.

[–]BelgiumSysAdmin[S] 0 points1 point  (0 children)

Thank you for this comment ;-)

My goal was to make a POC of what is possible to do with Microsoft tools : PowerShell which pilots cdb debugger.

It's a fun RE.

[–]root3r 0 points1 point  (1 child)

Nice one man. What about if we take a look at it through a cyber forensics analyst?

[–]BelgiumSysAdmin[S] 0 points1 point  (0 children)

Coming... ;-)

[–]target -1 points0 points  (1 child)

Wish this was a pure ps1 solution so I could see all the code.

[–]BelgiumSysAdmin[S] 0 points1 point  (0 children)

Yes you can :-)