Penetration Testing mailing list archives
Re: [PEN-TEST] PWDump3
From: Wesley Shields <wxs8826 () RITVAX ISC RIT EDU>
Date: Tue, 23 Jan 2001 19:07:32 -0500
Below is what was posted to NTBugtraq by Todd Sabin (the author of pwdump2). This should be what you are looking for. -- WXS WXS - Wesley Shields Rochester Institute of Technology Computer Science House http://www.csh.rit.edu <SNIP> -----Original Message----- From: Windows NTBugtraq Mailing List [mailto:NTBUGTRAQ () LISTSERV NTBUGTRAQ COM]On Behalf Of Todd Sabin Sent: Monday, January 22, 2001 11:38 PM To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM Subject: Re: Announcing pwdump3 ehjelmstad <ehjelmstad () EBIZ-TECH COM> writes:
e-business technology would like to announce the release of pwdump3, a Windows NT/2000 remote password hash grabber. [...] This program was written by Phil Staubs and has been released under the GNU GPL.
[Bias warning: I'm the author of pwdump2, on which pwdump3 is based.] Well, I have a few things I'd like to say about this. 1. Security, or lack thereof. One of the reasons that I have not (as of yet, see below) added the ability to dump a remote machine to pwdump2 is that it's not so easy to do it securely. The problem is that the password hashes are plaintext equivalent, meaning that if you simply dump hashes on a remote machine and then copy them over your network, anyone who sniffs them will more or less own you. Therefore, copying your hashes unencrypted over the network is a bad idea, and not something I wanted to add to pwdump2. Now, this new pwdump3 doesn't quite do that. If you look at the source code, you'll see that it does perform an obfuscation step (using a random key) before copying the hashes back from the remote machine. However, the random key is also copied over the network. So, in effect, there's no real encryption being done here. Anyone can still sniff the wire and recover all of your password hashes. They do state this at the very bottom of the README file, but a slightly more prominent warning might be a good idea. The problem with READMEs is that no one ever does, especially not to the very end. Anyway, I'd recommend against using pwdump3 in anything other than a lab scenario. 2. Why "pwdump3"? ebiz-tech did email me a while ago, saying that they were writing this, and asking under what conditions they could use my pwdump2 code. I told them that it was GPL'ed, and so they were allowed to use it, provided that they also GPL their code. However, I suggested that since what they were writing was clearly just an enhancement to pwdump2, why didn't they just send me a patch, let me include it in pwdump2, and give them credit? That is, after all, how things are normally done with open source projects. They never replied. 3. A new pwdump2 is in the works So, I figured they were probably going to go ahead with pwdump3 anyway. And I started figuring out how to add the ability to dump a remote machine (relatively) securely to pwdump2. I've got a working prototype, but unfortunately, it's not quite ready, yet. It should be ready to go in about 2-3 weeks... and it will still be called pwdump2. When it's ready, I'll put an update at the usual places: http://razor.bindview.com/tools/desc/pwdump2_readme.html http://www.webspan.net/~tas/pwdump2 Todd </SNIP> -----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Frank Dimina Sent: Tuesday, January 23, 2001 2:35 PM To: PEN-TEST () SECURITYFOCUS COM Subject: FW: [PEN-TEST] PWDump3 I haven't seen any docs as to what is new in version 3 over version 2...anybody know?
Current thread:
- [PEN-TEST] FW: [PEN-TEST] PWDump3 Frank Dimina (Jan 23)
- Re: [PEN-TEST] PWDump3 Wesley Shields (Jan 23)