pwdump3e - a Windows NT/2000 remote password hash grabber

by Phil Staubs, e-business technology

Distribution site:
http://www.ebiz-tech.com/pwdump3


DESCRIPTION:

This program grabs password hashes from remote Windows NT/2000 machines.  It 
prints them to the screen in standard L0phtcrack format, or will optionally write 
them to a file if desired.  The hash information is encrypted to avoid disclosure to 
network eavesdroppers.


USAGE:

PWDUMP3e machineName [outputFile] [userName]

Install the executable files (pwdump3e.exe, lsaext.dll, and pwservice.exe) in a 
single directory.  Running PWDUMP3E with no parameters causes the usage information 
to be displayed.  The first parameter is the remote machine from which the hash
is to be extracted.  It can be a machine name with or without leading backslashes, 
or it can be an IP address.  

The second parameter specifies a filename for the program's output.  This is 
optional.  Output may also be redirected to a file.  In either case, only the 
usernames and hashes go to the output file.  The output file is suitable for use 
as an input to the L0phtCrack program.

The third parameter, also optional, is the username for establishing a connection 
to the remote machine.  If the username is supplied on the command line, PWDUMP3E 
will prompt for a password and use these credentials to create a connection on the 
remote machine.  If a connection already exists, the username is not required.  
The connection to the remote machine must be established with administrative-level 
authority.

Running PWDUMP3E against target machines with many user accounts takes time.  We 
have measured approximately ten minutes for 20,000 user accounts.  Please be patient 
and let the program terminate itself.


HOW IT WORKS:

Remote access to a machine is accomplished be by running the hash extraction 
program as a service, because Windows NT/2000 allows services to be installed and 
started remotely.  PWDUMP3E first connects to the ADMIN$ share and copies the 
service executable files there.  It then requests the Service Control Manager to 
install and then run the service program.  The extracted hash information is 
temporarily stored in the remote machine's registry.  PWDUMP3E remotely connects 
to the registry to read the stored data.  Cleanup consists of removing the 
registry data, un-installing the service, and deleting the executable files 
from the remote machine.

Once the service is running, it follows the methodology used by Todd Sabin in his 
PWDUMP2 program to access the password hashes.  The idea is to use Windows internal 
function calls to fetch the data.  Since these functions require privileged access, 
it is first necessary to gain the appropriate access priveleges.  The Local Security 
Authority Subsystem (LSASS) runs with the necessary access privilege, so PWDUMP3E 
uses a technique known as DLL injection to run under the LSASS process, and thereby 
attain privileged access to the hash information.

DLL injection involves running a thread under an external process.  The thread runs 
with all the access privileges of that process.  The thread's executable code must 
first be copied to the address space of the external process.  The PWSERVICE 
program, running on the remote machine with administrative rights, adjusts its 
access privilege to Debug level.  This allows it to open and write to the memory 
space of the LSASS process.  It copies a simple thread function into the LSASS 
address space, and then runs the thread under the external process.  The thread 
loads the LSAEXT DLL and runs a function that performs the privileged hash 
extraction routine.  This routine uses undocumented, internal Windows function 
calls to enumerate the users on the system and obtain the password hashes in 
unencrypted form for each user.

The hash information must be made available to the machine from which PWDUMP3E is 
running.  The easiest way to do this is to place it in the registry, where is can 
be read remotely.  First, however, it is obfuscated to prevent the hashes from being 
disclosed to someone listening to network traffic.  This is accomplished in a secure 
manner by using 512-bit Diffie-Hellman key agreement.  It incorporates the DH class 
from Wei Dai's Crypto++ class library.  Before running the remote service, PWDUMP3E 
generates a public/private key pair using pre-computed prime and generator values, and 
places the public key in the registry of the remote machine.  The remote service 
generates its own public/private key pair, and a mutually agreed key derived from its 
private key and the host's public key.  It then places its public key in the registry 
so that the PWDUMP3E host can also derive the mutual key.  The mutual key is used as 
a basis for generating cryptographic keys with which to encrypt the hash data.

To generate a cryptographic key, we extract 112 bits from the mutual key (determined 
by the user account RID) and 16 bits from the RID, whch serve as a basis for creating 
the key.  Using Windows CryptoAPI functions from the Microsoft Base CSP (available 
for NT Service Pack 3 and up), we produce an MD5 hash and then derive an RS2 key from 
it.  This process is repeatable, so the same key is generated on the remote machine 
for encryption as on the PWDUMP3E host machine for decryption.  The default key length 
of 40 bits is used.  Since the key is unique for each user account, knowlege of one 
user password, or the key used to encrypt its hash provides little help in determining 
the others.


COMPILING PWDUMP3E:

Source code and Visual C++ 6.0 project and workspace files are included.  Since this 
program incorporates the Crypto++ class library (version 4.1) for use with Diffie-Hellman 
key agreement, but the Crypto++ package has not been included, it will be necessary to 
obtain that before proceeding.  Download Crypto++ from Wei Dai's web site at 
http://www.eskimo.com/~weidai/cryptlib.html and build the library.  In the PWDUMP3E 
directory, create a subdirectory called 'cryptlib', and copy the Crypto++ .lib file 
and header files into it.  It will now be possible to open the PWDUMP3E workspace with 
Visual C++ and build the component modules.  
