Re: [NSE] pwdump script

[David Fifield <david () bamsoftware com>]

On Wed, Feb 11, 2009 at 06:05:46PM -0600, Ron wrote:
> David Fifield wrote:
> > I changed the setting from guest to classic and ran again.
> >
> > $ ./nmap --datadir=. -PN -d2 -p139,445 --script=smb-pwdump --script-args=smbuser=jrandom,smbpass=jrandom 
> > 192.168.0.190
> > Host script results:
> > |_ smb-pwdump: ERROR: Couldn't create the service on the remote machine: NT_STATUS_UNKNOWN (0x000006e4) 
> > (svcctl.openscmanagerw)
>
> I haven't been able to figure out how to access the service control
> service on Windows XP. I've spent a lot of time on that issue, and
> unfortunately I haven't been able to resolve it. I even posted to the
> Metasploit mailing list, since they do it, but it didn't help.
>
> Currently, it'll work against Windows 2000 or 2003.

Sorry, you totally mentioned that but somehow I missed it.

You said: "...finding a tool that can remotely dump hashes from Linux
isn't easy (Metasploit is one way, but it's even more invasive than
this)." If this has a chance to become the standard Unix-based hash
grabber then it's worth pursuing. I agree there's a big difference
between logging in with a user name you know and exploiting some
vulnerability to get the hashes.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org