Re: LSADump2 Crashing Systems

["RCS" <ramseycs () bellsouth net>]

Did you try running it with DEP turned off?  pwdump (3 IIRC) did the same
thing to a Windows XP machine I was trying to do weak password testing on.
Turn it off temporarily, then try it.

Dedric Ramsey
Ramsey Consulting Services

----- Original Message ----- 
From: "Ghetti, Tim" <tghetti () air-worldwide com>
To: "oh face" <0h.fac3 () gmail com>; <pen-test () securityfocus com>;
<focus-ms () securityfocus com>
Sent: Friday, September 09, 2005 4:17 PM
Subject: RE: LSADump2 Crashing Systems


I had this experience with a 2003 server domain controller fully
patched. It killed the lsass process and force rebooted. At the time I
was investigating an unrelated issue and thought that the reboot was due
to the other issue. I never investigated this issue, as it was highly
unlikely that anyone use the LSADump other than me.

> -----Original Message-----
> From: oh face [mailto:0h.fac3 () gmail com]
> Sent: Friday, September 02, 2005 5:31 PM
> To: pen-test () securityfocus com; focus-ms () securityfocus com
> Subject: LSADump2 Crashing Systems
>
> In my recent pen-test experience, LSADump2 has been crashing
> Windows boxes. I was able to verify this on fully patched
> Windows XP and 2003.
> In further examination, LSADump2, when executed, killed the "lsass"
> process, and with the "winlogon" process still running, the
> system was forced to reboot. As far as I know, LSADump2 is
> utilizing a DLL injection technique to dump the contents of
> LSA secrets.
>
> Question:
> 1. Has anyone had this experience? If so, is there a safe
> method to execute this tool?
> 2. When I tested LSADump2 on various Windows boxes, not all
> fully patched boxes were affected by this issue. What
> configuration of Windows is exactly causing "lsass" to fail?
>
> Cheers.
>
> --------------------------------------------------------------
> ----------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking
> applications on your website. Up to 75% of cyber attacks are
> launched on shopping carts, forms, login pages, dynamic
> content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website
> for vulnerabilities to SQL injection, Cross site scripting
> and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> --------------------------------------------------------------
> -----------------

----------------------------------------------------------------------------
--
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers
do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------