12 replies to this topic

[cb122]

Am I missing something with the pwdump tools? To run them you need Administrator access to the Server. Yet all they are ever going to give you at best is a hash that you can crack for an Administrative account? So what's the point, as surely to run it you already have Administrator access to the box? Are the tools for password auditing to check for any other weak passwords associated with local windows passwords on the box?

What would be useful would be tools and techniques for a standard domain user to be able to get hashes from remote servers without administrative credentials? Do such tools/techniquse exisit (considering the target server is Windows 2003 and is fully patched), if so please point me in the direction, and more importantly and mitigating controls to protect such attacks. Physical access to the Server is one option I know with boot CD's and distros - but I'm after something where physical access is not possible...

[webdevil]

I guess you answered the first question yourself. You could also use those passwords on the network to see if it is being repeated
or maybe for using the admin account for keeping control rather than creating a new account etc.

Getting hashes of remote servers would be considered a vulnerability. So, No! You won't get those.
You could try pass-the-hash technique. Tools like gsecdump, incognito should help
I found a link for you as well
http://carnal0wnage....ito-part-2.html

[cb122]

Cheers WebDevil, I will look into them tools. I noticed gsecdump also requires local admin on the target server but I'll read up on incognito in more detail.

[infiltrator]

I guess you answered the first question yourself. You could also use those passwords on the network to see if it is being repeated
or maybe for using the admin account for keeping control rather than creating a new account etc.

Getting hashes of remote servers would be considered a vulnerability. So, No! You won't get those.
You could try pass-the-hash technique. Tools like gsecdump, incognito should help
I found a link for you as well
http://carnal0wnage....ito-part-2.html

I haven't tried this tool as of yet, but do you need to have the AV turned off or it won't matter.

[webdevil]

Should work regardless of your AV state.

[bonarez]

metasploit can do hash passing too, look for smb relay

[DidierStevens]

Do such tools/techniquse exisit (considering the target server is Windows 2003 and is fully patched), if so please point me in the direction, and more importantly and mitigating controls to protect such attacks. Physical access to the Server is one option I know with boot CD's and distros - but I'm after something where physical access is not possible...

One mitigation control is to prevent Windows from storing LM hashes. When a password is longer than 14 characters, no LM hash is stored.

And there are settings to prevent Windows from storing a LM hash for passwords shorter than 15 characters, take a look at the Microsoft KB article:
http://support.microsoft.com/kb/299656

[infiltrator]

Do such tools/techniquse exisit (considering the target server is Windows 2003 and is fully patched), if so please point me in the direction, and more importantly and mitigating controls to protect such attacks. Physical access to the Server is one option I know with boot CD's and distros - but I'm after something where physical access is not possible...

One mitigation control is to prevent Windows from storing LM hashes. When a password is longer than 14 characters, no LM hash is stored.

And there are settings to prevent Windows from storing a LM hash for passwords shorter than 15 characters, take a look at the Microsoft KB article:
http://support.microsoft.com/kb/299656

By default that is not necessary in Windows Vista or 7, only in Windows XP or past versions.

[DidierStevens]

By default that is not necessary in Windows Vista or 7, only in Windows XP or past versions.

Correct, but the OP was asking about Windows Server 2003, and this KB-article applies to Windows Server 2003.

[infiltrator]

By default that is not necessary in Windows Vista or 7, only in Windows XP or past versions.

Correct, but the OP was asking about Windows Server 2003, and this KB-article applies to Windows Server 2003.

Got a bit carried away, when I saw the explanation on lm and ntlm hashes and didn't notice the Windows Server 2003 part. My apologies there.

[E411]

This is an old thread, but for anyone stumbling on this article now...

I use PWDump/FGDump on almost every penetration test I do.

It is very frequent that I gain access to a single server. In an environment with 500 machines, it's actually ordinary.

However, escalating that to the rest of the environment is the issue.

With FGDump, I can both crack the local admin password, which is often repeated on other machines, AND i can capture cached domain credentials.

A typical scenario is one I had last week. I cracked a single SQL 2000 box, and used PWDump to get the admin password hashes and cracked them via rainbowcrack. Then I ran a tool that queries other machines to see if they use the same password. I found 114 machines that did.

At this point, I have a perl script I wrote that runs a batch process on those machines, both dumping the local SAM passwords, as well as the domain cached credentials. I gathered 210 cached domain user accounts, and 10 additional common local user name/password combinations.

From these local users with LM hahses, I was able to penetrate an additional machine, revealing a second (newer) local administrator password, yielding another 140 systems. Now i have almost 400 cached domain credentials in a salted mscache format. Running this through a dictionary cracker, I gain access to 85 domain accounts, including one domain administrator. From there, I have complete access to the entire infrastructure.


As you can see, the SQL exploit, mixed with pwdump, combined with rainbowcrack and john the ripper, turned access to a single machine into completed administrative control of the domain in about 6 hours work and 40 hours of computational time.

Win!

[Predjuh]

Do such tools/techniquse exisit (considering the target server is Windows 2003 and is fully patched), if so please point me in the direction, and more importantly and mitigating controls to protect such attacks. Physical access to the Server is one option I know with boot CD's and distros - but I'm after something where physical access is not possible...

One mitigation control is to prevent Windows from storing LM hashes. When a password is longer than 14 characters, no LM hash is stored.

And there are settings to prevent Windows from storing a LM hash for passwords shorter than 15 characters, take a look at the Microsoft KB article:
http://support.microsoft.com/kb/299656

By default that is not necessary in Windows Vista or 7, only in Windows XP or past versions.

I'm also working with FGdump and PWDump, but I never used it on a Windows 7 box.

Is windows 7 using the same technique as Windows XP? And if not, wich kind of hashing is it using and how to extract them on a Windows 7/Vista box..

[webdevil]

Extracting the hashes would be the same. You can use pwdump7 from
http://www.openwall....xp-2003-vista-7

It's just that the hashes are of NTLM format and not LM.