Pwdump

Last updated

pwdump is the name of various Windows programs that outputs the LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM) database and from the Active Directory domain's users cache on the operating system.

Contents

It is widely used, to perform both the famous pass-the-hash attack, or also can be used to brute-force users' password directly. In order to work, it must be run under an Administrator account, or be able to access an Administrator account on the computer where the hashes are to be dumped. Pwdump could be said to compromise security because it could allow a malicious administrator to access user's passwords. [1]

History

The initial program called pwdump was written by Jeremy Allison. He published the source code in 1997 (see open-source). [2] Since then there have been further developments by other programmers:

  1. pwdump (1997) — original program by Jeremy Allison. [3]
  2. pwdump2 (2000) — by Todd Sabin of Bindview (GPL), uses DLL injection. [4]
  3. pwdump3 — by Phil Staubs (GPL), works over the network.
    • pwdump3e — by Phil Staubs (GPL), sends encrypted over network.
  4. pwdump4 — by bingle (GPL), improvement on pwdump3 and pwdump2.
  5. pwdump5 — by AntonYo! (freeware).
  6. pwdump6 (c. 2006) — by fizzgig (GPL), improvement of pwdump3e. No source code.
    • fgdump (2007) — by fizzgig, improvement of pwdump6 w/ addons. No source code.
  7. pwdump7 — by Andres Tarasco (freeware), uses own filesystem drivers. No source code.
  8. pwdump8 — by Fulvio Zanetti and Andrea Petralia, supports AES128 encrypted hashes (Windows 10 and later). No source code. [5]

Notes

  1. "LSASS Memory - Red Canary Threat Detection Report". Red Canary. Retrieved 2023-12-11.
  2. Allison 2012 see pwdump.c
  3. Allison 2012.
  4. SecuriTeam.com 2017.
  5. Blackmath 2019.

Related Research Articles

<span class="mw-page-title-main">Password</span> Used for user authentication to prove identity or access approval

A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

Samba is a free software re-implementation of the SMB networking protocol, and was originally developed by Andrew Tridgell. Samba provides file and print services for various Microsoft Windows clients and can integrate with a Microsoft Windows Server domain, either as a Domain Controller (DC) or as a domain member. As of version 4, it supports Active Directory and Microsoft Windows NT domains.

<span class="mw-page-title-main">John the Ripper</span> Password cracking software tool

John the Ripper is a free password cracking software tool. Originally developed for the Unix operating system, it can run on fifteen different platforms. It is among the most frequently used password testing and breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker. It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix versions, Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL, and others.

Unix security refers to the means of securing a Unix or Unix-like operating system. A secure environment is achieved not only by the design concepts of these operating systems, but also through vigilant user and administrative practices.

In cryptanalysis and computer security, password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system in scrambled form. A common approach is to repeatedly try guesses for the password and to check them against an available cryptographic hash of the password. Another type of approach is password spraying, which is often automated and occurs slowly over time in order to remain undetected, using a list of common passwords.

The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1, 10 and 11 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory authenticates remote users. SAM uses cryptographic measures to prevent unauthenticated users accessing the system.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

In cryptography, a salt is random data fed as an additional input to a one-way function that hashes data, a password or passphrase. Salting helps defend against attacks that use precomputed tables, by vastly growing the size of table needed for a successful attack. It also helps protect passwords that occur multiple times in a database, as a new salt is used for each password instance. Additionally, salting does not place any burden on users.

<span class="mw-page-title-main">FileZilla</span> Free software, cross-platform file transfer protocol application

FileZilla is a free and open-source, cross-platform FTP application, consisting of FileZilla Client and FileZilla Server. Clients are available for Windows, Linux, and macOS. Both server and client support FTP and FTPS, while the client can in addition connect to SFTP servers. FileZilla's source code is hosted on SourceForge.

LAN Manager is a discontinued network operating system (NOS) available from multiple vendors and developed by Microsoft in cooperation with 3Com Corporation. It was designed to succeed 3Com's 3+Share network server software which ran atop a heavily modified version of MS-DOS.

<span class="mw-page-title-main">One-time password</span> Password that can only be used once

A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

<span class="mw-page-title-main">Ophcrack</span> Windows password cracker

Ophcrack is a free open-source program that cracks Windows log-in passwords by using LM hashes through rainbow tables. The program includes the ability to import the hashes from a variety of formats, including dumping directly from the SAM files of Windows, and can be ran via the command line or using the program’s GUI. On most computers, ophcrack can crack most passwords within a few minutes.

Google Browser Sync was a Mozilla Firefox extension released as freeware from Google. It debuted in Google Labs on 8 June 2006, and in June 2008 was discontinued. It allowed users of Mozilla Firefox up to versions 2.x to synchronize their web browser settings across multiple computers via the Internet.

<span class="mw-page-title-main">Jeremy Allison</span> Computer programmer

Jeremy Allison is a computer programmer known for his contributions to the free software community, notably to Samba, a re-implementation of SMB/CIFS networking protocol, released under the GNU General Public License.

Qpopper was one of the oldest and most popular server implementations of POP3. As a free and open-source server distributed under BSD style license, it was a common choice for Internet Service Providers, schools, corporations, and other organizations. It was included in several Linux and Unix distributions.

<span class="mw-page-title-main">Osiris (software)</span> Peer-to-peer serverless portal system

Osiris Serverless Portal System is a freeware program used to create web portals distributed via peer-to-peer networking (P2P) and autonomous from centralized servers. It is available for Microsoft Windows and Linux operating systems.

In computer security, pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. It replaces the need for stealing the plaintext password to gain access with stealing the hash.

chntpw Windows password editing utility on Linux

chntpw is a software utility for resetting or blanking local passwords used by Windows NT operating systems on Linux. It does this by editing the SAM database where Windows stores password hashes.

crypt is a POSIX C library function. It is typically used to compute the hash of user account passwords. The function outputs a text string which also encodes the salt, and identifies the hash algorithm used. This output string forms a password record, which is usually stored in a text file.

<span class="mw-page-title-main">Mitro</span>

Mitro was a password manager for individuals and teams that securely saved users' logins, and allowed users to log in and share access.

References