Re: [NSE] pwdump script

[David Fifield <david () bamsoftware com>]

On Sun, Jan 04, 2009 at 09:10:23PM -0600, Ron wrote:
> I wanted to get people's opinions on a NSE script that I'm in the
> process of writing (well, almost finished writing). Basically, using the
> remote files included with pwdump6, and an administrator-level account,
> it dumps the password hashes from the target system. (the .exe and .dll
> that are required are run on the remote system, not the local system, so
> it doesn't matter which OS you're coming from).

I finally got around to trying this. I followed your instructions with
pwdump6-1.7.2.

$ ./nmap --datadir=. -PN -d2 -p139,445 --script=smb-pwdump --script-args=smbuser=jrandom,smbpass=jrandom 192.168.0.190
Host script results:
|_ smb-pwdump: ERROR: Couldn't upload the files: Couldn't upload nselib/data/lsr
emora.dll: NT_STATUS_ACCESS_DENIED

I think this is due to the guest/classic login option in XP
Professional. I see a lot of log messages with -d2 like

SCRIPT ENGINE DEBUG: SMB: Extended login as \jrandom failed, but was given guest access (username may be wrong, or 
system may only allow guest)
SCRIPT ENGINE DEBUG: Couldn't delete lsremora.dll: NT_STATUS_ACCESS_DENIED

I changed the setting from guest to classic and ran again.

$ ./nmap --datadir=. -PN -d2 -p139,445 --script=smb-pwdump --script-args=smbuser=jrandom,smbpass=jrandom 192.168.0.190
Host script results:
|_ smb-pwdump: ERROR: Couldn't create the service on the remote machine: NT_STATUS_UNKNOWN (0x000006e4) 
(svcctl.openscmanagerw)

I'll send you the log file for that.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org