Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Dumping NT password hashes from memory
From: Iván Arce <core.lists.pentest () CORE-SDI COM>
Date: Thu, 23 Nov 2000 22:59:09 -0300

Hi,

 the mechanics of how that is done (using just the password hash
 to authenticate in the domain) are explained in Hernan Ochoa's
 paper "Modifying Windows NT logon credential", it can be
 found on our web page:

http://www.core-sdi.com/papers/nt_cred.htm

-ivan

---

"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 Its nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce


==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email   : iarce () core-sdi com
http://www.core-sdi.com
Florida 141 2do cuerpo Piso 7
C1005AAG Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402
=====================================================================



----- Original Message -----
From: "Alfred Huger" <ah () SECURITYFOCUS COM>
Newsgroups: core.lists.pentest
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Thursday, November 23, 2000 5:51 PM
Subject: Re: [PEN-TEST] Dumping NT password hashes from memory


On Thu, 23 Nov 2000, Quek, Wei (CA - Calgary) wrote:

i remember seeing a demo at blackhat where some guys were able to dump
an nt
password hash from memory and then reloading it with a different one
loaded
from pwdump and using it to log in remotely into another server. here's
how
it works;

1) run pwdump on victim machine to retrieve password hashes for say
User1
2) create an account on your local machine called User1 and log into it
interactively.
3) run this tool on your local machine to unload the password hash for
User1
and replacing it with the password hash from pwdump.
4) net use to the remote victim machine as User1 with the victim
password
hash.

does anyone have more information on this?

WEi




The demo you saw was (I think) by Foundstone. The actual tool was
developed and written by CORE SDI. I heard talk at one point about them
planning to release the tool to the public.


Alfred Huger
VP of Engineering
SecurityFocus.com


--- For a personal reply use iarce () core-sdi com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]