Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: [PEN-TEST] Dumping NT password hashes from memory

Re: [PEN-TEST] Dumping NT password hashes from memory

From: Iván Arce <core.lists.pentest_at_CORE-SDI.COM>
Date: Thu, 23 Nov 2000 22:59:09 -0300

Hi,

 the mechanics of how that is done (using just the password hash
 to authenticate in the domain) are explained in Hernan Ochoa's
 paper "Modifying Windows NT logon credential", it can be
 found on our web page:

http://www.core-sdi.com/papers/nt_cred.htm

-ivan 

---
"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 Its nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce
==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email   : iarce_at_core-sdi.com
http://www.core-sdi.com
Florida 141 2do cuerpo Piso 7
C1005AAG Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402
=====================================================================
----- Original Message -----
From: "Alfred Huger" <ah_at_SECURITYFOCUS.COM>
Newsgroups: core.lists.pentest
To: <PEN-TEST_at_SECURITYFOCUS.COM>
Sent: Thursday, November 23, 2000 5:51 PM
Subject: Re: [PEN-TEST] Dumping NT password hashes from memory
> On Thu, 23 Nov 2000, Quek, Wei (CA - Calgary) wrote:
>
> > i remember seeing a demo at blackhat where some guys were able to dump
an nt
> > password hash from memory and then reloading it with a different one
loaded
> > from pwdump and using it to log in remotely into another server. here's
how
> > it works;
> >
> > 1) run pwdump on victim machine to retrieve password hashes for say
User1
> > 2) create an account on your local machine called User1 and log into it
> > interactively.
> > 3) run this tool on your local machine to unload the password hash for
User1
> > and replacing it with the password hash from pwdump.
> > 4) net use to the remote victim machine as User1 with the victim
password
> > hash.
> >
> > does anyone have more information on this?
> >
> > WEi
> >
>
>
>
> The demo you saw was (I think) by Foundstone. The actual tool was
> developed and written by CORE SDI. I heard talk at one point about them
> planning to release the tool to the public.
>
>
> Alfred Huger
> VP of Engineering
> SecurityFocus.com
--- For a personal reply use iarce_at_core-sdi.com
Received on Nov 25 2000
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]