pwdump3e - a Windows NT/2000 remote password hash grabber by Phil Staubs, e-business technology Distribution site: http://www.ebiz-tech.com/pwdump3 DESCRIPTION: This program grabs password hashes from remote Windows NT/2000 machines. It prints them to the screen in standard L0phtcrack format, or will optionally write them to a file if desired. The hash information is encrypted to avoid disclosure to network eavesdroppers. USAGE: PWDUMP3e machineName [outputFile] [userName] Install the executable files (pwdump3e.exe, lsaext.dll, and pwservice.exe) in a single directory. Running PWDUMP3E with no parameters causes the usage information to be displayed. The first parameter is the remote machine from which the hash is to be extracted. It can be a machine name with or without leading backslashes, or it can be an IP address. The second parameter specifies a filename for the program's output. This is optional. Output may also be redirected to a file. In either case, only the usernames and hashes go to the output file. The output file is suitable for use as an input to the L0phtCrack program. The third parameter, also optional, is the username for establishing a connection to the remote machine. If the username is supplied on the command line, PWDUMP3E will prompt for a password and use these credentials to create a connection on the remote machine. If a connection already exists, the username is not required. The connection to the remote machine must be established with administrative-level authority. Running PWDUMP3E against target machines with many user accounts takes time. We have measured approximately ten minutes for 20,000 user accounts. Please be patient and let the program terminate itself. HOW IT WORKS: Remote access to a machine is accomplished be by running the hash extraction program as a service, because Windows NT/2000 allows services to be installed and started remotely. PWDUMP3E first connects to the ADMIN$ share and copies the service executable files there. It then requests the Service Control Manager to install and then run the service program. The extracted hash information is temporarily stored in the remote machine's registry. PWDUMP3E remotely connects to the registry to read the stored data. Cleanup consists of removing the registry data, un-installing the service, and deleting the executable files from the remote machine. Once the service is running, it follows the methodology used by Todd Sabin in his PWDUMP2 program to access the password hashes. The idea is to use Windows internal function calls to fetch the data. Since these functions require privileged access, it is first necessary to gain the appropriate access priveleges. The Local Security Authority Subsystem (LSASS) runs with the necessary access privilege, so PWDUMP3E uses a technique known as DLL injection to run under the LSASS process, and thereby attain privileged access to the hash information. DLL injection involves running a thread under an external process. The thread runs with all the access privileges of that process. The thread's executable code must first be copied to the address space of the external process. The PWSERVICE program, running on the remote machine with administrative rights, adjusts its access privilege to Debug level. This allows it to open and write to the memory space of the LSASS process. It copies a simple thread function into the LSASS address space, and then runs the thread under the external process. The thread loads the LSAEXT DLL and runs a function that performs the privileged hash extraction routine. This routine uses undocumented, internal Windows function calls to enumerate the users on the system and obtain the password hashes in unencrypted form for each user. The hash information must be made available to the machine from which PWDUMP3E is running. The easiest way to do this is to place it in the registry, where is can be read remotely. First, however, it is obfuscated to prevent the hashes from being disclosed to someone listening to network traffic. This is accomplished in a secure manner by using 512-bit Diffie-Hellman key agreement. It incorporates the DH class from Wei Dai's Crypto++ class library. Before running the remote service, PWDUMP3E generates a public/private key pair using pre-computed prime and generator values, and places the public key in the registry of the remote machine. The remote service generates its own public/private key pair, and a mutually agreed key derived from its private key and the host's public key. It then places its public key in the registry so that the PWDUMP3E host can also derive the mutual key. The mutual key is used as a basis for generating cryptographic keys with which to encrypt the hash data. To generate a cryptographic key, we extract 112 bits from the mutual key (determined by the user account RID) and 16 bits from the RID, whch serve as a basis for creating the key. Using Windows CryptoAPI functions from the Microsoft Base CSP (available for NT Service Pack 3 and up), we produce an MD5 hash and then derive an RS2 key from it. This process is repeatable, so the same key is generated on the remote machine for encryption as on the PWDUMP3E host machine for decryption. The default key length of 40 bits is used. Since the key is unique for each user account, knowlege of one user password, or the key used to encrypt its hash provides little help in determining the others. COMPILING PWDUMP3E: Source code and Visual C++ 6.0 project and workspace files are included. Since this program incorporates the Crypto++ class library (version 4.1) for use with Diffie-Hellman key agreement, but the Crypto++ package has not been included, it will be necessary to obtain that before proceeding. Download Crypto++ from Wei Dai's web site at http://www.eskimo.com/~weidai/cryptlib.html and build the library. In the PWDUMP3E directory, create a subdirectory called 'cryptlib', and copy the Crypto++ .lib file and header files into it. It will now be possible to open the PWDUMP3E workspace with Visual C++ and build the component modules.