pwdump6 - Windows NT/2000/XP/2003 NTLM and LanMan Password Grabber

By fizzgig and the foofus.net Team

Web Site:
http://www.foofus.net/fizzgig/pwdump


DESCRIPTION:

A significantly modified version of pwdump3e, this program is able to extract NTLM
and LanMan hashes from a Windows target, regardless of whether Syskey is turned on.
It is also capable of displaying password histories if they are available. It outputs 
the data in L0phtcrack-compatible form, and can write to an output file. Currently, 
data transfer between the client and target is NOT encrypted, so use this at your 
own risk if you feel eavesdropping may be a problem.

USAGE:

pwdump [-h][-o][-u][-p] machineName
  where -h prints the usage message and exits
  where -o specifies a file to which to write the output
  where -u specifies the user name used to connect to the target
  where -p specifies the password used to connect to the target

Install the executable files (pwdump.exe, lsaext.dll, and pwservice.exe) in a 
single directory.  Running pwdump with no parameters causes the usage information 
to be displayed. The target machine name is the only required parameter.

-o specifies a file to which hash data should be written. Messages will still be
written to the console.

-u/-p specifies the user name and password used to establish a connection with the
target. This is necessary if you haven't already established the connection via, say,
an IPC$ bind. The credentials used MUST have administrator-level privileges. If no 
password is specified with -p, the program will prompt for the password at the console.

Running pwdump against target machines with many user accounts takes time.  We 
have measured approximately ten minutes for 20,000 user accounts.  Please be patient 
and let the program terminate itself.

WARNING TO ANTI-VIRUS USERS!! (Particularly McAfee)

Certain AV programs, notably McAfee, react poorly to pwdump. McAfee in particular has
a nasty habit of consuming 100% of the CPU when pwdump is run sometimes. Therefore,
it is HIGHLY recommended you stop any AV on the target before pwdump'ing it. If not,
you might need to reboot it, which will be bad if you are working remotely. You have
been warned.

If remembering to do this escapes you (I forget frequently), I would suggest looking at
fgdump (http://www.foofus.net/fizzgig/fgdump). It is, among other things, a wrapper
around pwdump and will take care of stopping and starting AV control as needed.


HOW IT WORKS:

(This is partly from the original pwdump3e README)

Remote access to a machine is accomplished be by running the hash extraction 
program as a service, because Windows NT-ish OSes allow services to be installed and 
started remotely.  PWDUMP first connects to an available, writable share and copies the 
service executable files there.  It then requests the Service Control Manager to 
install and then run the service program.  The extracted hash data is then sent
to the client via a named pipe. Cleanup consists of uninstalling the service, 
and deleting the executable files from the remote machine.

Once the service is running, it follows the methodology used by Todd Sabin in his 
PWDUMP2 program to access the password hashes.  The idea is to use Windows internal 
function calls to fetch the data.  Since these functions require privileged access, 
it is first necessary to gain the appropriate access priveleges.  The Local Security 
Authority Subsystem (LSASS) runs with the necessary access privilege, so PWDUMP 
uses a technique known as DLL injection to run under the LSASS process, and thereby 
attain privileged access to the hash information.

DLL injection involves running a thread under an external process.  The thread runs 
with all the access privileges of that process.  The thread's executable code must 
first be copied to the address space of the external process.  The PWSERVICE 
program, running on the remote machine with administrative rights, adjusts its 
access privilege to Debug level.  This allows it to open and write to the memory 
space of the LSASS process.  It copies a simple thread function into the LSASS 
address space, and then runs the thread under the external process.  The thread 
loads the LSAEXT DLL and runs a function that performs the privileged hash 
extraction routine.  This routine uses undocumented, internal Windows function 
calls to enumerate the users on the system and obtain the password hashes in 
unencrypted form for each user.

The hash information must be made available to the machine from which PWDUMP is 
running. This is accomplished by shipping data over a named pipe back to the client
(the LSASS process acts as the named pipe server). Currently, this traffic is sent 
in clear-text to eliminate a potential problem with the Crypto API, but this may
change in the future. As a result, be wary of using this in an environment where
eavesdropping may be a problem, say, a flat, non-switched network. Use at your
own risk! (Remember kids, just because you're on a switch doesn't mean the data 
is safe from eavesdropping)


COMPILING PWDUMP:

Source code and Visual C++ 6.0 project and workspace files are included. I have
successfully compiled this under Visual Studio 2003 as well with minor modifications.

