Penetration Testing mailing list archives

Re: [PEN-TEST] PWDump3

From: Steve <steve () SECURESOLUTIONS ORG>
Date: Tue, 23 Jan 2001 12:49:41 -0700

I will cross post this here as well seeing how PWDUMP3 is being talked
about.  This was posted by Todd Sabin, author of PWDump2, on Win2KSecAdvice.
------------------------------------------------------------
Return-Path: <tas () webspan net>
Received: from 216.44.68.109 by GUAVA.EASE.LSOFT.COM (SMTPL release 1.0d)
with TCP; Tue, 23 Jan 2001 13:00:45 -0500
Received: (from tas@localhost)
        by jetcar.qnz.org (8.9.3/8.9.3) id NAA28382;
        Tue, 23 Jan 2001 13:00:43 -0500
Sender: tas () webspan net
From: Todd Sabin <tsabin () razor bindview com>
To: "Discussion regarding Windows-related security vulnerabilities and
risks." <win2ksecadvice () LISTSERV NTSECURITY NET>
Subject: Re: FW: Announcing pwdump3
References: <000301c0855a$52d84570$b401a8c0 () ebiztech com>
Date: 23 Jan 2001 13:00:43 -0500
In-Reply-To: ehjelmstad's message of "Tue, 23 Jan 2001 09:34:13 -0700"
Message-ID: <m3k87m9mic.fsf () jetcar qnz org>
Lines: 64
User-Agent: Gnus/5.070084 (Pterodactyl Gnus v0.84) Emacs/20.5
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
ehjelmstad <ehjelmstad () EBIZ-TECH COM> writes:

e-business technology would like to announce the release of pwdump3, a
Windows NT/2000 remote password hash grabber.
[...]
This program was written by Phil Staubs and has been released under the
GNU GPL.


[Bias warning:  I'm the author of pwdump2, on which pwdump3 is based.]

Well, I have a few things I'd like to say about this.

1.  Security, or lack thereof.

One of the reasons that I have not (as of yet, see below) added the
ability to dump a remote machine to pwdump2 is that it's not so easy
to do it securely.  The problem is that the password hashes are
plaintext equivalent, meaning that if you simply dump hashes on a
remote machine and then copy them over your network, anyone who sniffs
them will more or less own you.  Therefore, copying your hashes
unencrypted over the network is a bad idea, and not something I wanted
to add to pwdump2.

Now, this new pwdump3 doesn't quite do that.  If you look at the
source code, you'll see that it does perform an obfuscation step
(using a random key) before copying the hashes back from the remote
machine.  However, the random key is also copied over the network.
So, in effect, there's no real encryption being done here.  Anyone can
still sniff the wire and recover all of your password hashes.  They do
state this at the very bottom of the README file, but a slightly more
prominent warning might be a good idea.  The problem with READMEs is
that no one ever does, especially not to the very end.

Anyway, I'd recommend against using pwdump3 in anything other than a
lab scenario.


2.  Why "pwdump3"?

ebiz-tech did email me a while ago, saying that they were writing
this, and asking under what conditions they could use my pwdump2 code.
I told them that it was GPL'ed, and so they were allowed to use it,
provided that they also GPL their code.  However, I suggested that
since what they were writing was clearly just an enhancement to
pwdump2, why didn't they just send me a patch, let me include it in
pwdump2, and give them credit?  That is, after all, how things are
normally done with open source projects.  They never replied.


3.  A new pwdump2 is in the works

So, I figured they were probably going to go ahead with pwdump3
anyway.  And I started figuring out how to add the ability to dump a
remote machine (relatively) securely to pwdump2.  I've got a working
prototype, but unfortunately, it's not quite ready, yet.  It should be
ready to go in about 2-3 weeks... and it will still be called pwdump2.
When it's ready, I'll put an update at the usual places:

http://razor.bindview.com/tools/desc/pwdump2_readme.html
http://www.webspan.net/~tas/pwdump2


Todd

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Parth Galen
Sent: Tuesday, January 23, 2001 7:25 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] PWDump3


FYI,
I just heard about PWDump3 being released from www.ebiz-tech.com

I have not tested it, and do not know about the source, but there
it is for those who are interested.
------------------
Two wrongs do not make a right, but three lefts do!


Get your small business started at Lycos Small Business at
http://www.lycos.com/business/mail.html

Current thread:

[PEN-TEST] PWDump3 Parth Galen (Jan 23)
- Re: [PEN-TEST] PWDump3 Steve (Jan 23)
- <Possible follow-ups>
- Re: [PEN-TEST] PWDump3 Cintron, Jose (Jan 23)
- Re: [PEN-TEST] PWDump3 Thibodeaux, Mark (Jan 24)
- Re: [PEN-TEST] PWDump3 Beauregard, Claude Q (Jan 24)
  - Re: [PEN-TEST] PWDump3 Steve (Jan 24)