What is WCE?
A tool that allows you to harvest hashes from Windows.
WCE can be used for a variety of functions:
- It can perform pass-the-hash on Windows.
- It can obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.)
- Dump cleartext passwords entered by users at login.
WCE is a security tool widely used by security professionals to assess the security of Windows networks via Penetration Testing. It supports Windows XP, 2003, Vista, 7, 2008 and Windows 8.
It comes prepackaged with Kali.
How it is used
- As mentioned earlier, it is used in penetration tests and in CTF’s that utilize Windows.
- It works extremely well in post-exploitation when harvesting credentials.
- All you need to do is upload the wce.exe executable to the target system and run it.
Target OS: Windows 7 VM
We have already exploited the target and have spawned a meterpreter reverse shell. We can now begin our credential harvesting.
- We can use the Meterpreter upload functionality to upload the wce32.exe executable to our target system. Ideally, we want it in the system32 folder with admin privileges.
Depending on the target system architecture, you can specify the appropriate wce executable (32 or 64).
- Viewing the help menu
- To list all the hashes of all users
Retrieving user passwords in cleartext
Note: WCE will only display active user credentials and hashes.
Retrieving the NTLM hash
Wce32.exe -g <password>