pwdump3 - a Windows NT/2000 remote password hash grabber by Phil Staubs, e-business technology Distribution site: http://www.ebiz-tech.com/pwdump3 DESCRIPTION: This program grabs password hashes from remote Windows NT/2000 machines. It prints them to the screen in standard L0phtcrack format, or will optionally write them to a file if desired. USAGE: PWDUMP3 machineName [outputFile] [userName] Install the executable files (pwdump3.exe, lsaext.dll, and pwservice.exe) in a single directory. Running PWDUMP3 with no parameters causes the usage information to be displayed. The first parameter is the remote machine from which the hash is to be extracted. It can be a machine name with or without leading backslashes, or it can be an IP address. The second parameter specifies a filename for the program's output. This is optional. Output may also be redirected to a file. In either case, only the usernames and hashes go to the output file. The output file is suitable for use as an input to the L0phtCrack program. The third parameter, also optional, is the username for establishing a connection to the remote machine. If the username is supplied on the command line, PWDUMP3 will prompt for a password and use these credentials to create a connection on the remote machine. If a connection already exists, the username is not required. The connection to the remote machine must be established with administrative-level authority. HOW IT WORKS: Remote access to a machine is accomplished be by running the hash extraction program as a service, because Windows NT/2000 allows services to be installed and started remotely. PWDUMP3 first connects to the ADMIN$ share and copies the service executable files there. It then requests the Service Control Manager to install and then run the service program. The extracted hash information is temporarily stored in the remote machine's registry. PWDUMP3 remotely connects to the registry to read the stored data. Cleanup consists of removing the registry data, un-installing the service, and deleting the executable files from the remote machine. Once the service is running, it follows the methodology used by Todd Sabin in his PWDUMP2 program to access the password hashes. The idea is to use Windows internal function calls to fetch the data. Since these functions require privileged access, it is first necessary to gain the appropriate access priveleges. The Local Security Authority Subsystem (LSASS) runs with the necessary access privilege, so PWDUMP3 uses a technique known as DLL injection to run under the LSASS process, and thereby attain privileged access to the hash information. DLL injection involves running a thread under an external process. The thread runs with all the access privileges of that process. The thread's executable code must first be copied to the address space of the external process. The PWSERVICE program, running on the remote machine with administrative rights, adjusts its access privilege to Debug level. This allows it to open and write to the memory space of the LSASS process. It copies a simple thread function into the LSASS address space, and then runs the thread under the external process. The thread loads the LSAEXT DLL and runs a function that performs the privileged hash extraction routine. This routine uses undocumented, internal Windows function calls to enumerate the users on the system and obtain the password hashes in unencrypted form for each user. The hash information must be made available to the machine from which PWDUMP3 is running. The easiest way to do this is to place it in the registry, where is can be read remotely. First, however, it is obfuscated with a simple function that uses a one-time key passed in by PWDUMP3. This function, for each 32-bit word of data, performs an XOR operation between the key and the data, and then rotates the key right by one bit. This is NOT strong encryption. It merely pervents the hashes from being passed across the network in plain-text form. PWDUMP3 passes the key as a parameter to the PWSERVICE program. Therefore, if you are concerned about the possibility of someone sniffing the network for this information, do not use PWDUMP3.