Penetration Testing mailing list archives

Re: [PEN-TEST] Dumping NT password hashes from memory

From: Iván Arce <core.lists.pentest () CORE-SDI COM>
Date: Thu, 23 Nov 2000 22:59:09 -0300

Hi,

 the mechanics of how that is done (using just the password hash
 to authenticate in the domain) are explained in Hernan Ochoa's
 paper "Modifying Windows NT logon credential", it can be
 found on our web page:

http://www.core-sdi.com/papers/nt_cred.htm

-ivan

---

"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 Its nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce


==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email   : iarce () core-sdi com
http://www.core-sdi.com
Florida 141 2do cuerpo Piso 7
C1005AAG Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402
=====================================================================



----- Original Message -----
From: "Alfred Huger" <ah () SECURITYFOCUS COM>
Newsgroups: core.lists.pentest
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Thursday, November 23, 2000 5:51 PM
Subject: Re: [PEN-TEST] Dumping NT password hashes from memory

On Thu, 23 Nov 2000, Quek, Wei (CA - Calgary) wrote:

i remember seeing a demo at blackhat where some guys were able to dump

an nt

password hash from memory and then reloading it with a different one

loaded

from pwdump and using it to log in remotely into another server. here's

how

it works;

1) run pwdump on victim machine to retrieve password hashes for say

User1

2) create an account on your local machine called User1 and log into it
interactively.
3) run this tool on your local machine to unload the password hash for

User1

and replacing it with the password hash from pwdump.
4) net use to the remote victim machine as User1 with the victim

password

hash.

does anyone have more information on this?

WEi




The demo you saw was (I think) by Foundstone. The actual tool was
developed and written by CORE SDI. I heard talk at one point about them
planning to release the tool to the public.


Alfred Huger
VP of Engineering
SecurityFocus.com



--- For a personal reply use iarce () core-sdi com

Current thread:

[PEN-TEST] Dumping NT password hashes from memory Quek, Wei (CA - Calgary) (Nov 24)
- Re: [PEN-TEST] Dumping NT password hashes from memory Alfred Huger (Nov 24)
  - Re: [PEN-TEST] Dumping NT password hashes from memory Iván Arce (Nov 25)
- <Possible follow-ups>
- Re: [PEN-TEST] Dumping NT password hashes from memory Beauregard, Claude Q (Nov 28)