Penetration Testing mailing list archives
Re: [PEN-TEST] PWDump3
From: Steve <steve () SECURESOLUTIONS ORG>
Date: Tue, 23 Jan 2001 12:49:41 -0700
I will cross post this here as well seeing how PWDUMP3 is being talked about. This was posted by Todd Sabin, author of PWDump2, on Win2KSecAdvice. ------------------------------------------------------------ Return-Path: <tas () webspan net> Received: from 216.44.68.109 by GUAVA.EASE.LSOFT.COM (SMTPL release 1.0d) with TCP; Tue, 23 Jan 2001 13:00:45 -0500 Received: (from tas@localhost) by jetcar.qnz.org (8.9.3/8.9.3) id NAA28382; Tue, 23 Jan 2001 13:00:43 -0500 Sender: tas () webspan net From: Todd Sabin <tsabin () razor bindview com> To: "Discussion regarding Windows-related security vulnerabilities and risks." <win2ksecadvice () LISTSERV NTSECURITY NET> Subject: Re: FW: Announcing pwdump3 References: <000301c0855a$52d84570$b401a8c0 () ebiztech com> Date: 23 Jan 2001 13:00:43 -0500 In-Reply-To: ehjelmstad's message of "Tue, 23 Jan 2001 09:34:13 -0700" Message-ID: <m3k87m9mic.fsf () jetcar qnz org> Lines: 64 User-Agent: Gnus/5.070084 (Pterodactyl Gnus v0.84) Emacs/20.5 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii ehjelmstad <ehjelmstad () EBIZ-TECH COM> writes:
e-business technology would like to announce the release of pwdump3, a Windows NT/2000 remote password hash grabber. [...] This program was written by Phil Staubs and has been released under the GNU GPL.
[Bias warning: I'm the author of pwdump2, on which pwdump3 is based.] Well, I have a few things I'd like to say about this. 1. Security, or lack thereof. One of the reasons that I have not (as of yet, see below) added the ability to dump a remote machine to pwdump2 is that it's not so easy to do it securely. The problem is that the password hashes are plaintext equivalent, meaning that if you simply dump hashes on a remote machine and then copy them over your network, anyone who sniffs them will more or less own you. Therefore, copying your hashes unencrypted over the network is a bad idea, and not something I wanted to add to pwdump2. Now, this new pwdump3 doesn't quite do that. If you look at the source code, you'll see that it does perform an obfuscation step (using a random key) before copying the hashes back from the remote machine. However, the random key is also copied over the network. So, in effect, there's no real encryption being done here. Anyone can still sniff the wire and recover all of your password hashes. They do state this at the very bottom of the README file, but a slightly more prominent warning might be a good idea. The problem with READMEs is that no one ever does, especially not to the very end. Anyway, I'd recommend against using pwdump3 in anything other than a lab scenario. 2. Why "pwdump3"? ebiz-tech did email me a while ago, saying that they were writing this, and asking under what conditions they could use my pwdump2 code. I told them that it was GPL'ed, and so they were allowed to use it, provided that they also GPL their code. However, I suggested that since what they were writing was clearly just an enhancement to pwdump2, why didn't they just send me a patch, let me include it in pwdump2, and give them credit? That is, after all, how things are normally done with open source projects. They never replied. 3. A new pwdump2 is in the works So, I figured they were probably going to go ahead with pwdump3 anyway. And I started figuring out how to add the ability to dump a remote machine (relatively) securely to pwdump2. I've got a working prototype, but unfortunately, it's not quite ready, yet. It should be ready to go in about 2-3 weeks... and it will still be called pwdump2. When it's ready, I'll put an update at the usual places: http://razor.bindview.com/tools/desc/pwdump2_readme.html http://www.webspan.net/~tas/pwdump2 Todd
-----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Parth Galen Sent: Tuesday, January 23, 2001 7:25 AM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] PWDump3 FYI, I just heard about PWDump3 being released from www.ebiz-tech.com I have not tested it, and do not know about the source, but there it is for those who are interested. ------------------ Two wrongs do not make a right, but three lefts do! Get your small business started at Lycos Small Business at http://www.lycos.com/business/mail.html
Current thread:
- [PEN-TEST] PWDump3 Parth Galen (Jan 23)
- Re: [PEN-TEST] PWDump3 Steve (Jan 23)
- <Possible follow-ups>
- Re: [PEN-TEST] PWDump3 Cintron, Jose (Jan 23)
- Re: [PEN-TEST] PWDump3 Thibodeaux, Mark (Jan 24)
- Re: [PEN-TEST] PWDump3 Beauregard, Claude Q (Jan 24)
- Re: [PEN-TEST] PWDump3 Steve (Jan 24)