| I l@ve RuBoard | |
URL: www.packetstormsecurity.org
Client OS: Windows NT
Target OS: Windows NT
Price: Free
Description: Pwdump2 is a tool that can be used to overcome an NT password file protected with SYSKEY encryption. SYSKEY encryption, which was discussed in Section 15.1, encrypts the NT password hashes, rendering L0phtCrack and other password crackers useless. Pwdump2 uses dll injection to insert and execute code from pwdump2 in the memory space and user context of lsass.exe. The tool then returns a file containing password hashes that can be fed into a password-cracking program such as L0phtCrack or John the Ripper. Pwdump2 needs to be executed locally on the target server with administrator access.
Use: As stated above, pwdump2 must be run locally on the server with administrator privileges. First, you must determine the process ID of lsass.exe. To perform this step you need to use a tool called pulist.exe. Pulist is another NT Resource Kit utility. Execute pulist from the command line on the server and note the process ID number for lsass. The example below provides the syntax for pulist.
C:\>pulist \\server_name
Next, execute pwdump2 followed by the process ID for lsass. Use the following syntax to perform this step and direct the output to a file:
C:\>pwdump2 process_id_lsass > passlist.txt
Now you can use L0phtCrack or John the Ripper (described in the next section) to crack the password file.
Benefit: Pwdump2 enables you to crack a password file protected with SYSKEY encryption.
Con: Pwdump2 must be executed locally on the target server and with administrator privileges. This can be a difficult set of prerequisites to achieve.
| I l@ve RuBoard | |