Elusive Thoughts

What is WCE? It is a Windows Credentials Editor. It manipulates Windows logon Sessions and it is considered to be an evolution of the Pass-the-Hash Toolkits by it author Hernan Ochoa. WCE Internals presented at RootedCon in Madrid on early 2011. This presentation explains the inner workings of WCE including how Windows store credentials in memory pre and post Windows Vista. Post-Exploitation with WCE presented on July 2011. Simple and effective high-level presentation with test cases.  What does WCE do? WCE lists in-memory logon sessions (It dumps in-memory username, LM & NT hashes) Change/delete NTLM credentials of logon sessions Create new logon sessions and associate arbitrary NTLM credentials Why WCE is better than pass the Hash  Feature WCE Pass The Hash Supports Windows Vista/7/2008 True False Single executable True False Delete NTLM Credentials True False Works with session isolation True False Programmatic discovery of new LSASRV addr...