Penetration Testing mailing list archives
Re: [PEN-TEST] Dumping NT password hashes from memory
From: Iván Arce <core.lists.pentest () CORE-SDI COM>
Date: Thu, 23 Nov 2000 22:59:09 -0300
Hi, the mechanics of how that is done (using just the password hash to authenticate in the domain) are explained in Hernan Ochoa's paper "Modifying Windows NT logon credential", it can be found on our web page: http://www.core-sdi.com/papers/nt_cred.htm -ivan --- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, Its nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce ==================[ CORE Seguridad de la Informacion S.A. ]========= Iván Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email : iarce () core-sdi com http://www.core-sdi.com Florida 141 2do cuerpo Piso 7 C1005AAG Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 ===================================================================== ----- Original Message ----- From: "Alfred Huger" <ah () SECURITYFOCUS COM> Newsgroups: core.lists.pentest To: <PEN-TEST () SECURITYFOCUS COM> Sent: Thursday, November 23, 2000 5:51 PM Subject: Re: [PEN-TEST] Dumping NT password hashes from memory
On Thu, 23 Nov 2000, Quek, Wei (CA - Calgary) wrote:i remember seeing a demo at blackhat where some guys were able to dump
an nt
password hash from memory and then reloading it with a different one
loaded
from pwdump and using it to log in remotely into another server. here's
how
it works; 1) run pwdump on victim machine to retrieve password hashes for say
User1
2) create an account on your local machine called User1 and log into it interactively. 3) run this tool on your local machine to unload the password hash for
User1
and replacing it with the password hash from pwdump. 4) net use to the remote victim machine as User1 with the victim
password
hash. does anyone have more information on this? WEiThe demo you saw was (I think) by Foundstone. The actual tool was developed and written by CORE SDI. I heard talk at one point about them planning to release the tool to the public. Alfred Huger VP of Engineering SecurityFocus.com
--- For a personal reply use iarce () core-sdi com
Current thread:
- [PEN-TEST] Dumping NT password hashes from memory Quek, Wei (CA - Calgary) (Nov 24)
- Re: [PEN-TEST] Dumping NT password hashes from memory Alfred Huger (Nov 24)
- Re: [PEN-TEST] Dumping NT password hashes from memory Iván Arce (Nov 25)
- <Possible follow-ups>
- Re: [PEN-TEST] Dumping NT password hashes from memory Beauregard, Claude Q (Nov 28)
- Re: [PEN-TEST] Dumping NT password hashes from memory Alfred Huger (Nov 24)