Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Dumping NT password hashes from memory
From: Iván Arce <core.lists.pentest () CORE-SDI COM>
Date: Thu, 23 Nov 2000 22:59:09 -0300


 the mechanics of how that is done (using just the password hash
 to authenticate in the domain) are explained in Hernan Ochoa's
 paper "Modifying Windows NT logon credential", it can be
 found on our web page:




"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 Its nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce

==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email   : iarce () core-sdi com
Florida 141 2do cuerpo Piso 7
C1005AAG Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402

----- Original Message -----
From: "Alfred Huger" <ah () SECURITYFOCUS COM>
Newsgroups: core.lists.pentest
Sent: Thursday, November 23, 2000 5:51 PM
Subject: Re: [PEN-TEST] Dumping NT password hashes from memory

On Thu, 23 Nov 2000, Quek, Wei (CA - Calgary) wrote:

i remember seeing a demo at blackhat where some guys were able to dump
an nt
password hash from memory and then reloading it with a different one
from pwdump and using it to log in remotely into another server. here's
it works;

1) run pwdump on victim machine to retrieve password hashes for say
2) create an account on your local machine called User1 and log into it
3) run this tool on your local machine to unload the password hash for
and replacing it with the password hash from pwdump.
4) net use to the remote victim machine as User1 with the victim

does anyone have more information on this?


The demo you saw was (I think) by Foundstone. The actual tool was
developed and written by CORE SDI. I heard talk at one point about them
planning to release the tool to the public.

Alfred Huger
VP of Engineering

--- For a personal reply use iarce () core-sdi com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]