Re: [PEN-TEST] PWDump3

[Wesley Shields <wxs8826 () RITVAX ISC RIT EDU>]

Below is what was posted to NTBugtraq by Todd Sabin (the author of pwdump2).
This should be what you are looking for.

-- WXS

WXS - Wesley Shields
Rochester Institute of Technology
Computer Science House
http://www.csh.rit.edu


<SNIP>
-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ () LISTSERV NTBUGTRAQ COM]On Behalf Of Todd Sabin
Sent: Monday, January 22, 2001 11:38 PM
To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM
Subject: Re: Announcing pwdump3


ehjelmstad <ehjelmstad () EBIZ-TECH COM> writes:

> e-business technology would like to announce the release of pwdump3, a
> Windows NT/2000 remote password hash grabber.
> [...]
> This program was written by Phil Staubs and has been released under the
> GNU GPL.

[Bias warning:  I'm the author of pwdump2, on which pwdump3 is based.]

Well, I have a few things I'd like to say about this.

1.  Security, or lack thereof.

One of the reasons that I have not (as of yet, see below) added the
ability to dump a remote machine to pwdump2 is that it's not so easy
to do it securely.  The problem is that the password hashes are
plaintext equivalent, meaning that if you simply dump hashes on a
remote machine and then copy them over your network, anyone who sniffs
them will more or less own you.  Therefore, copying your hashes
unencrypted over the network is a bad idea, and not something I wanted
to add to pwdump2.

Now, this new pwdump3 doesn't quite do that.  If you look at the
source code, you'll see that it does perform an obfuscation step
(using a random key) before copying the hashes back from the remote
machine.  However, the random key is also copied over the network.
So, in effect, there's no real encryption being done here.  Anyone can
still sniff the wire and recover all of your password hashes.  They do
state this at the very bottom of the README file, but a slightly more
prominent warning might be a good idea.  The problem with READMEs is
that no one ever does, especially not to the very end.

Anyway, I'd recommend against using pwdump3 in anything other than a
lab scenario.


2.  Why "pwdump3"?

ebiz-tech did email me a while ago, saying that they were writing
this, and asking under what conditions they could use my pwdump2 code.
I told them that it was GPL'ed, and so they were allowed to use it,
provided that they also GPL their code.  However, I suggested that
since what they were writing was clearly just an enhancement to
pwdump2, why didn't they just send me a patch, let me include it in
pwdump2, and give them credit?  That is, after all, how things are
normally done with open source projects.  They never replied.


3.  A new pwdump2 is in the works

So, I figured they were probably going to go ahead with pwdump3
anyway.  And I started figuring out how to add the ability to dump a
remote machine (relatively) securely to pwdump2.  I've got a working
prototype, but unfortunately, it's not quite ready, yet.  It should be
ready to go in about 2-3 weeks... and it will still be called pwdump2.
When it's ready, I'll put an update at the usual places:

http://razor.bindview.com/tools/desc/pwdump2_readme.html
http://www.webspan.net/~tas/pwdump2


Todd
</SNIP>

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Frank Dimina
Sent: Tuesday, January 23, 2001 2:35 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: FW: [PEN-TEST] PWDump3


I haven't seen any docs as to what is new in version 3 over version
2...anybody know?