Windows Credentials Editor

What is WCE?

It is a Windows Credentials Editor. It manipulates Windows logon Sessions and it is considered to be an evolution of the Pass-the-Hash Toolkits by it author Hernan Ochoa. WCE Internals presented at RootedCon in Madrid on early 2011. This presentation explains the inner workings of WCE including how Windows store credentials in memory pre and post Windows Vista.

Post-Exploitation with WCE presented on July 2011. Simple and effective high-level presentation with test cases. 

What does WCE do?

• WCE lists in-memory logon sessions (It dumps in-memory username, LM & NT hashes)
• Change/delete NTLM credentials of logon sessions
• Create new logon sessions and associate arbitrary NTLM credentials

Why WCE is better than pass the Hash 

Feature	WCE	Pass The Hash
Supports Windows Vista/7/2008	True	False
Single executable	True	False
Delete NTLM Credentials	True	False
Works with session isolation	True	False
Programmatic discovery of new LSASRV addresses	True	False
Seamlessly chooses code injection or reading from memory	True	False

References:

1. http://www.ampliasecurity.com/research/WCE_Internals_RootedCon2011_ampliasecurity.pdf
2. http://www.ampliasecurity.com/research/wce12_uba_ampliasecurity_eng.pdf
3. http://www.twitter.com/hernano
4. http://www.twitter.com/ampliasecurity
5. http://www.ampliasecurity.com/blog/