Post Exploitation With Windows Credentials Editor (WCE)

Video Tutorial

What is WCE?

A tool that allows you to harvest hashes from Windows.


WCE can be used for a variety of functions:

  • It can perform pass-the-hash on Windows.
  • It can obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.)
  • Dump cleartext passwords entered by users at login.

WCE is a security tool widely used by security professionals to assess the security of Windows networks via Penetration Testing. It supports Windows XP, 2003, Vista, 7, 2008 and Windows 8.

It comes prepackaged with Kali.



How it is used

  • As mentioned earlier, it is used in penetration tests and in CTF’s that utilize Windows.
  • It works extremely well in post-exploitation when harvesting credentials.
  • All you need to do is upload the wce.exe executable to the target system and run it.


Target OS: Windows 7 VM

We have already exploited the target and have spawned a meterpreter reverse shell. We can now begin our credential harvesting.

  • We can use the Meterpreter upload functionality to upload the wce32.exe executable to our target system. Ideally, we want it in the system32 folder with admin privileges.

Upload /usr/share/wce32.exe

Depending on the target system architecture, you can specify the appropriate wce executable (32 or 64).

Using WCE

  • Viewing the help menu

Wce32.exe -h

  • To list all the hashes of all users


Retrieving user passwords in cleartext

Wce32.exe -w

Note: WCE will only display active user credentials and hashes.

Retrieving the NTLM hash

Wce32.exe -g <password>


Thank you Alexis for the information.

I may try this out later today on my Win7 test machine that gets abused terribly LoL.

1 Like

Any tool that functions same but available for Windows10?