├── .gitattributes
├── Extraction.gif
├── Invoke-PowerExtract.ps1
├── LICENSE
└── README.md


/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 | 


--------------------------------------------------------------------------------
/Extraction.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/powerseb/PowerExtract/cc99456a4a6c79950aa7637fc46312d6545a8ed2/Extraction.gif


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | BSD 3-Clause License
 2 | 
 3 | Copyright (c) 2021, powerpointken
 4 | All rights reserved.
 5 | 
 6 | Redistribution and use in source and binary forms, with or without
 7 | modification, are permitted provided that the following conditions are met:
 8 | 
 9 | 1. Redistributions of source code must retain the above copyright notice, this
10 |    list of conditions and the following disclaimer.
11 | 
12 | 2. Redistributions in binary form must reproduce the above copyright notice,
13 |    this list of conditions and the following disclaimer in the documentation
14 |    and/or other materials provided with the distribution.
15 | 
16 | 3. Neither the name of the copyright holder nor the names of its
17 |    contributors may be used to endorse or promote products derived from
18 |    this software without specific prior written permission.
19 | 
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Invoke-PowerExtract
 2 | 
 3 | This tool is able to parse memory dumps of the LSASS process without any additional tools (e.g. Debuggers) or additional sideloading of mimikatz. It is a pure PowerShell implementation for parsing and extracting secrets (LSA / MSV and Kerberos) of the LSASS process.
 4 | 
 5 | Important: The script holds no functionality to create dump files - it will just read them.
 6 | 
 7 | # Usage 
 8 | 
 9 | So you just want to read a created dump file? The usage is quite simple:
10 | ```powershell
11 |  Invoke-PowerExtract -PathToDMP C:\temp\lsass.dmp
12 | ```
13 | and for kerberos tickets
14 | ```powershell
15 |  Invoke-PowerExtract -PathToDMP C:\temp\lsass.dmp -GetMeTickets $true
16 | ```
17 | 
18 | 
19 | ![Example Extraction with the option "format-list"](Extraction.gif)
20 | 
21 | Currently supported Windows Versions (64bit only):
22 | 
23 | Clients:
24 | 
25 | - Windows 11
26 | - Windows 10
27 | - Windows 8.1
28 | - Windows 8
29 | - Windows 7
30 | 
31 | Server:
32 | 
33 | - Windows Server 2022
34 | - Windows Server 2019
35 | - Windows Server 2016
36 | - Windows Server 2012R2
37 | - Windows Server 2012
38 | - Windows Server 2008R2
39 | - Windows Server 2008
40 | 
41 | 
42 | # Future Plans
43 | 
44 | Short-term I plan to implement the correct parsing of Kerberos Tickets to a format which can be read by Rubeus etc. - Currently Kerberos tickets are parsed but not transformed to the correct format - this is completed (more complex than I thought) . 
45 | 
46 | # How did you do it?
47 | 
48 | I wrote a little article about it here - https://powerseb.github.io/posts/LSASS-parsing-without-a-cat/ 
49 | Kerberos in the making (i need to recover from those hex strings) 
50 | 
51 | # References 
52 | 
53 | Many thanks and a big shout out to the pypykatz project which was the inspiration and source for this project:
54 | 
55 | https://github.com/skelsec/pypykatz
56 | 
57 | Additionally AADInternals provided some inspiration for the kerberos ticket part:
58 | 
59 | https://github.com/Gerenios/AADInternals 
60 |  
61 | 


--------------------------------------------------------------------------------