Git Product home page Git Product logo

powerextract's Introduction

Invoke-PowerExtract

This tool is able to parse memory dumps of the LSASS process without any additional tools (e.g. Debuggers) or additional sideloading of mimikatz. It is a pure PowerShell implementation for parsing and extracting secrets (LSA / MSV and Kerberos) of the LSASS process.

Important: The script holds no functionality to create dump files - it will just read them.

Usage

So you just want to read a created dump file? The usage is quite simple:

 Invoke-PowerExtract -PathToDMP C:\temp\lsass.dmp

and for kerberos tickets

 Invoke-PowerExtract -PathToDMP C:\temp\lsass.dmp -GetMeTickets $true

Example Extraction with the option "format-list"

Currently supported Windows Versions (64bit only):

Clients:

  • Windows 11
  • Windows 10
  • Windows 8.1
  • Windows 8
  • Windows 7

Server:

  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012R2
  • Windows Server 2012
  • Windows Server 2008R2
  • Windows Server 2008

Future Plans

Short-term I plan to implement the correct parsing of Kerberos Tickets to a format which can be read by Rubeus etc. - Currently Kerberos tickets are parsed but not transformed to the correct format - this is completed (more complex than I thought) .

How did you do it?

I wrote a little article about it here - https://powerseb.github.io/posts/LSASS-parsing-without-a-cat/ Kerberos in the making (i need to recover from those hex strings)

References

Many thanks and a big shout out to the pypykatz project which was the inspiration and source for this project:

https://github.com/skelsec/pypykatz

Additionally AADInternals provided some inspiration for the kerberos ticket part:

https://github.com/Gerenios/AADInternals

powerextract's People

Contributors

gkourgkoutas avatar powerseb avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

gkourgkoutas askyeye zha0 apkc gh057pr1nc3 dev2x0 analyticsearch averroes dannymas k3nundrum hdys0vn longmdx

powerextract's Issues

Help Request - The process Hangs

Hello,

I've ran winpmem (https://github.com/Velocidex/WinPmem/releases/tag/v4.0.rc1) to get the RAW file from the RAM memory.
Then I've used volatility2, to get the .DMP file of the lsass process, also tried volatility3 to dump the process memory.

invoke-powerextract -PathToDMP 'C:\740.dmp' -Debug $true DEBUG: Inputfile valid and identified in: C:\740.dmp DEBUG: Header of Dumpfile parsed. Dumpfile holds 2652553094 Streams.

I understand that in the demo you only have 16 streams, but, is there anything that I can do?

Did I miss some requirements to get it to work ?

Tried on a Win10-22H2 and on a Win10-1909 but same result.

PS C:\temp\PowerExtract> Invoke-PowerExtract -PathToDMP C:\temp\lsass.DMP
New-Object : Cannot find type [â€TypeName System.IO.FileStream â€ArgumentList]: verify that the assembly containing
this type is loaded.
At C:\temp\PowerExtract\Invoke-PowerExtract.ps1:409 char:23

  • ... ileStream = New-Object –TypeName System.IO.FileStream –ArgumentLi ...
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidType: (:) [New-Object], PSArgumentException
    • FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

New-Object : Cannot find type [â€TypeName System.IO.BinaryReader â€ArgumentList]: verify that the assembly containing
this type is loaded.
At C:\temp\PowerExtract\Invoke-PowerExtract.ps1:410 char:23

  • ... ileReader = New-Object –TypeName System.IO.BinaryReader –Argument ...
  •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidType: (:) [New-Object], PSArgumentException
    • FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

The property 'Position' cannot be found on this object. Verify that the property exists and can be set.
At C:\temp\PowerExtract\Invoke-PowerExtract.ps1:412 char:9

  •     $fileReader.BaseStream.Position=0

  •     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (:) [], RuntimeException
    • FullyQualifiedErrorId : PropertyNotFound

You cannot call a method on a null-valued expression.
At C:\temp\PowerExtract\Invoke-PowerExtract.ps1:413 char:9

  •     $Signature = Convert-LitEdian -String ([System.BitConverter]: ...

  •     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (:) [], RuntimeException
    • FullyQualifiedErrorId : InvokeMethodOnNull

You cannot call a method on a null-valued expression.
At C:\temp\PowerExtract\Invoke-PowerExtract.ps1:415 char:9

  •     $Version = Convert-LitEdian -String ([System.BitConverter]::T ...

  •     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (:) [], RuntimeException
    • FullyQualifiedErrorId : InvokeMethodOnNull

You cannot call a method on a null-valued expression.
At C:\temp\PowerExtract\Invoke-PowerExtract.ps1:417 char:9

  •     $ImplementationVersion = Convert-LitEdian -String ([System.Bi ...

  •     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (:) [], RuntimeException
    • FullyQualifiedErrorId : InvokeMethodOnNull

Bug: Empty PathDMP throws error

After importing the .ps1 file and trying to execute without parameters the script throws errors.
Steps to reproduce:

  1. Import .ps1
  2. Execute without parameters
Invoke-PowerExtract

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.