mailing list archives
Re: [PEN-TEST] Dumping NT password hashes from memory
From: Alfred Huger <ah () SECURITYFOCUS COM>
Date: Thu, 23 Nov 2000 09:25:34 -0800
On Thu, 23 Nov 2000, Quek, Wei (CA - Calgary) wrote:
i remember seeing a demo at blackhat where some guys were able to dump an nt
password hash from memory and then reloading it with a different one loaded
from pwdump and using it to log in remotely into another server. here's how
1) run pwdump on victim machine to retrieve password hashes for say User1
2) create an account on your local machine called User1 and log into it
3) run this tool on your local machine to unload the password hash for User1
and replacing it with the password hash from pwdump.
4) net use to the remote victim machine as User1 with the victim password
does anyone have more information on this?
The demo you saw was (I think) by Foundstone. The actual tool was
developed and written by CORE SDI. I heard talk at one point about them
planning to release the tool to the public.
VP of Engineering