[foofus-tools] Pwdump on 64 bit Itanium servers, Pwdump delivers computer accounts
Teh Fizzgig
fizzgig at foofus.net
Fri Aug 28 07:48:25 PDT 2009
Thomas.Schneider01 at t-systems.com wrote:
> a colleague tried to run Pwdump on a 64 bit Itanium W2K3 server and the
> lsass process crashed. Therefore the project was compiled for Itanium
> processor. Does someone have experience with Itanium?
Itanium is definitely not supported. I don't know if it's simply a
matter of recompiling or not, since I don't think I know of any Itanium
system I can test on, and I can count on one hand the number of them
I've run into in the last year.
> I couldn't re-produce it, because I didn't have a Itanium test system.
> I thought about the general problem of a crashed lsass process. Does
> someone know, why the code must be injected into the lsass process
> instead of running it directly? This would be very interesting for me.
> I'm a C# programmer and usual avoid crushing processes by using try and
> catch. But the code that is injected looks like developed in C and not
> C++ (which I believe supports try and catch) as the rest of the code. Is
> there a way to migrate this part to C++?
The reason is that only the LSASS process is allowed access to some of
the information we need (at least using this method). The exception is
not catchable IIRC, or there was some other compelling reason why this
wasn't feasible.
I have a longer-term solution that does not require process injection,
but have had very little time to work on it. At this point, I have
working POC code, but I've not had the time to take it beyond that.
> Additionally I want to ask for a small feature request. The Pwdump tool
> delivers on Domain Controllers also all Computer Accounts, that are
> normally not in focus, because passwords are very strong set by
> Microsoft and should never be possible to crack. In big environments it
> would be much more faster. to avoid enumerate such accounts. To do this
> the 3rd parameter of the function "SamrEnumerateUsersInDomain"
> ("pSamrEnumerateUsersInDomain" in your code) must be set to 0x10.
Now this is a useful tidbit to be sure. I'll look at making that change.
-f
More information about the foofus-tools
mailing list