Re: [NSE] pwdump script

["Raul Siles" <raul.siles () gmail com>]

Hi Ron,
I think it is a good addition to the nmap users arsenal, and as it is
just a NSE script, its usage is optional.
I would add to it pass-the-hash capabilities to authenticate against
the remote system, with a new option (smbhash), such as:

$ ./nmap -d -p139,445 --script=smb-pwdump --script-args=smbhash=<hash> <host>

The <hash> should be on the LM:NTLM format.

Thanks,
--
Raul Siles
www.raulsiles.com



On Mon, Jan 5, 2009 at 4:10 AM, Ron <ron () skullsecurity net> wrote:
> Hi all,
>
> I wanted to get people's opinions on a NSE script that I'm in the
> process of writing (well, almost finished writing). Basically, using the
> remote files included with pwdump6, and an administrator-level account,
> it dumps the password hashes from the target system. (the .exe and .dll
> that are required are run on the remote system, not the local system, so
> it doesn't matter which OS you're coming from). For what it's worth, I
> got permission from the copyright holder of the pwdump/fgdump tools to
> use and distribute their executables, but I think it's a good idea to
> ask people to download them (if for no other reason, then because I
> don't want Nmap to be picked up by antivirus software -- the necessary
> files are). I also CCed him on this email.
>
> You can try it out yourself by using my svn version. This is how I do it
> (sorry if this is wrapped):
> svn co --username guest --password ""
> svn://svn.insecure.org/nmap-exp/ron/nmap-smb
> cd nmap-smb
> ./configure && make
> cd nselib/data
> wget http://swamp.foofus.net/fizzgig/pwdump/pwdump6-1.7.2-exe-only.tar.bz2
> tar -xvjf pwdump6-1.7.2-exe-only.tar.bz2 servpw.exe lsremora.dll
> cd ../..
> export NMAPDIR=.
> ./nmap -d -p139,445 --script=smb-pwdump
> --script-args=smbuser=<username>,smbpass=<password> <host>
>
> Here is example output:
> Host script results:
> |  smb-pwdump:
> |
> Administrator:500:D702A1D01B6BC2418112333D93DFBB4C:C8DBB1CFF1970C9E3EC44EBE2BA7CCBC:::
> |
> ASPNET:1001:359E64F7361B678C283B72844ABF5707:49B784EF1E7AE06953E7A4D37A3E9529:::
> |  blankadmin:1003:NO PASSWORD*********************:NO
> PASSWORD*********************:::
> |  blankuser:1004:NO PASSWORD*********************:NO
> PASSWORD*********************:::
> |  Guest:501:NO PASSWORD*********************:NO
> PASSWORD*********************:::
> |
> Ron:1000:D702A1D01B6BC2418112333D93DFBB4C:C8DBB1CFF1970C9E3EC44EBE2BA7CCBC:::
> |_
> test:1002:D702A1D01B6BC2418112333D93DFBB4C:C8DBB1CFF1970C9E3EC44EBE2BA7CCBC:::
>
> The format is the standard style (except for the leading '|' from Nmap),
> which can be used in most standard password cracking programs.
>
> Currently, it'll only work against server versions of Windows (2000 and
> 2003) -- I have to re-write some of my authentication logic to run
> against XP, and I have my doubts that it'll work on Vista and above.
> Also, it'll currently work only if there's a writeable C$ share --
> that's definitely going to change before I'm done.
>
> This script probably isn't the most useful, directly, because it
> requires an account (if you run it along with smb-brute.nse, it'll
> attempt to use accounts it finds). That being said, finding a tool that
> can remotely dump hashes from Linux isn't easy (Metasploit is one way,
> but it's even more invasive than this). Instead, this is more of a
> demonstration about how NSE can be used for more than scanning, but for
> deeper pen-testing work.
>
> Speaking of invasive, the way this script works is by uploading the
> .exe/.dll to the remote system and executing them as a service. Whereas
> some tools are about evading detection, I wrote this with cleaning in
> mind -- it doesn't attempt to evade AV software, and it does its
> absolute best to clean itself up in every circumstance.
>
> The hashes dumped can potentially be used to log into other systems
> where users have the same password. As such, an eventual goal (and I
> don't think this is possible (or at least easy) with the way NSE is
> right now) is to collect hashes and try them on other systems to dump
> hashes from them. So, as you go along, you'd be collecting password
> hashes across the network. So, for example, if System A has a weak admin
> password and a handful of users have accounts there, those users'
> password hashes are now compromised. Those hashes can be used to log
> into Systems B, C, and D, where more hashes can be stolen, and so on. As
> you can see, this is leading far more into pen-testing than NSE normally
> does, but it's incredibly cool stuff.
>
> There are a lot of other things you can do once you're running a program
> on the remote system. Anything, really. But here are some thoughts that
> I had:
> - Take a screenshot of the system
> - Dump DNS/ARP cache
> - Dump protected storage
> - Find WEP/WPA keys
>
> Any of these would be relatively easy to do using the framework I wrote
> for pwdump. All of this, of course, would require getting the admin
> password first (but it only takes one box with a weak password).
>
> So, any comments or questions? I'm pretty excited about the
> possibilities that this tool has.
>
> Ron
>
> --
> Ron Bowes
> http://www.skullsecurity.org/
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org