Pwdump2

From ChekMate Security Group

PWDUMP2

Updated: April 6, 2000


Contents

[edit]

What's New?


It's been a while since pwdump2 was first released, and it's time for an update. This new version adds two new features:

  • It can now dump password hashes from Active Directory. (The original version wasn't able to do this.)
  • It can determine the pid of lsass automatically, so you don't need to supply it on the command line.


[edit]

What is pwdump2?


This is an application which dumps the password hashes (OWFs) from NT's SAM database, whether or not SYSKEY is enabled on the system. NT Administrators can now enjoy the additional protection of SYSKEY, while still being able to check for weak users' passwords. The output follows the same format as the original pwdump (by Jeremy Allison), and can be used as input to l0phtcrack, or used with Samba. You need the SeDebugPrivilege for it to work. By default, only Administrators have this right, so this program does not compromise NT security.


[edit]

How do I use it?


First, of course, back your system up, and try it on a test machine. Take both the pwdump2.exe and samdump.dll files and place them together in a directory on your NT box's local file system. Then, just run 

[c:\pwdump2] pwdump2

and the contents of the SAM will be written to the console. To capture the output in a file, run, e.g. "pwdump2 > passwd.txt". This newer version of pwdump2 is able to find the pid of lsass.exe automatically. Several people send me source code to do this, but they all required an extra DLL, which is why I never incorporated them. Recently, Gary Nebbett published Windows NT/2000 Native API Reference, an invaluable reference, documenting virtually every undocumented NT kernel call. Among other things, it demonstrates a method of determining pids without linking to more DLLs. pwdump2 now includes code which does this. If for some reason pwdump2 fails to determine the proper pid, it will complain and exit. You can still specify the pid on the command line, to work around this possibility. Determine the process id of lsass.exe. (You can do this with Task Manager.). Then, assuming the pid is, e.g. 43, run: 

[c:\pwdump2] pwdump2 43


[edit]

How does it work?


It uses a technique known as DLL injection. In general, one process (pwdump2.exe) forces another process (lsass.exe) to load a DLL (samdump.dll) and execute some code from the DLL in the other process's (lsass.exe's) address space and user context. In this specific case, once samdump.dll is loaded into lsass, it uses the same internal API that msv1_0.dll uses to access the password hashes. This means it can get the hashes without doing any of the 'hard' work of pulling them out of the registry and decrypting them. The program neither knows nor cares what the encryption algorithms or keys are.


[edit]

Is source available?


Yes, full source is provided here under the terms of the GNU Public License. For alternate licensing, send me mail. A previous version of pwdump2 used sample code from Advanced Windows, 3rd Ed., by Jeffrey Richter, ISBN 1-57231-548-2, and was subject to his copyright. I have rewritten the relevant portions, so that full source can be made available. Nevertheless, anyone interested in DLL injection, or advanced windows programming in general should definitely get Richter's book; it's outstanding.


[edit]

What systems has it been tested on?


The original version has been tested on quite a lot. It's known to work on pretty much all versions of NT4 and W2K, possibly excepting Windows Terminal Services (see below).

The new version obviously has not been tested a lot, yet. If you'd rather use the original, you can still download it below. You'll still need to specify lsass's pid, of course, and it won't work on Active Directory.

There have been reports of the original pwdump2 not working on various systems, but nothing I've been able to nail down. I believe a lot of this is people running it without the correct privileges and not realizing it. However, it does appear that there may be some bad interaction with either some virus protection systems or Windows Terminal Services (or both). I have nothing concrete on these; if you have problems in these areas, please let me know. Also, if you've found that pwdump2 does work for you with either of these situations, I'd appreciate hearing about that as well (with version information as specific as you can provide).


[edit]

Limitations 


   * It doesn't dump the user's full name, just the account name.
[edit]

Download 

   Download pwdump2 — 46kb

   MD5 (pwdump2.zip) = 560b92164864a9dbe0760b4c8fc1e147
    
   Download original pwdump2 — 50kb

   MD5 (pwdump2-orig.zip) = 3c26b77e948d486cbd697e45fd8f56f4
[edit]

Troubleshooting

If it fails with the output:

CreateRemoteThread failed: 8

This error is caused when you try to use it remotely, such as through a Terminal Server session. Try running it locally on the computer rather than through a remote session and you shouldn't see this error.

I had exactly the same error message when using pwdump2 within a terminal services session logged on to a Windows 2000 domain controller with A/D. (worked fine from the console).

Here is a solution:

1. Create a directory and copy pwdump2.exe to it. NOTE: you may require samdump.dll depending on your system.
2. In the directory create a batch file called run.bat with these commands in it:

d:
cd \directory
pwdump2 >pw2.sam

3. Save run.bat
4. From a command prompt:

at hh:mm "d:\directory\run.bat"
where hh:mm is the time one minute in the future.

5. After one minute, the batch file will run and create pw2.sam with the password hashes in it.

copyright © 1998, 2000

Retrieved from "http://www.chekmate.org//wiki/index.php/Pwdump2"