Windows Credentials Editor

WCE v1.3beta is a tool for managing Windows credentials, specifically focusing on NTLM authentication. It enables users to list logon sessions and manipulate associated credentials, such as LM/NT hashes, including adding, changing, listing, and deleting them. This functionality supports pass-the-hash attacks directly on Windows systems.

Key use cases include obtaining NT/LM hashes from memory during interactive logons, services, or remote desktop connections. These hashes can then be used to authenticate to other systems. WCE prioritizes non-intrusive methods by reading and decrypting information from Windows internal memory structures, falling back to code injection only when necessary.

The tool is part of Kali Linux, with binaries like wce32.exe and wce64.exe available in /usr/share/windows-resources/wce, along with supporting files.

WCE interacts with Windows internal memory structures to read and decrypt NT/LM hashes from logon sessions without injecting code. It lists sessions, manages credentials (add/change/list/delete), and supports native pass-the-hash for authentication. If direct memory access fails, it switches to code injection techniques. Binaries target 32-bit (wce32.exe) and 64-bit (wce64.exe) architectures, with getlsasrvaddr.exe for LSA server addressing.