[foofus-tools] Possible BUGS in fgdump/pwdump

Per Thorsheim putilutt at online.no
Tue Mar 3 05:39:15 PST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There seems to be one or more bugs in fgdump/pwdump, seriously messing
up the integrity of your output. I've posted a thread about this on
Cains forum (http://oxid.netsons.org/phpBB2/viewtopic.php?t=3116), as i
first noticed it while using Cain, and i thought the problem was there.
A little more testing clears Cain of any suspicion, leaving fizzgig to
do the explanations. :-)

In short it seems as if User1 doesn't have an LM hash stored, User1's
NTLM hash will take the place of the LM hash, while the next users LM
hash suddenly becomes the NTLM hash of User1. No wonder hash values
becomes "uncrackable". :-)
- ----
Second "bug" in pwdump/fgdump: missing history hashes. In order to
figure out the above, i dumped a 10K+ accounts domain (W2K3SP1 English),
using fgdump, pwdump and Cain (all the latest versions as of February
25th, 2009). Password history is set to 24.

Cain has dumped the current password hashes as well as the history
hashes going back up to 24 generations. Pwdump-2.0.0-beta dumps the
current hashes as well as history_0 back to history_13, and there it
stops. Exactly the same result with fgdump. Since Cain doesn't add any
trailing text or a separate column to identify the different hash
generations (mao has stated he will implement it for the next version),
i am kind of dependent on fgdump/pwdump, but Cain seems to do the dump
correctly.

Also i'm having serious problems making Gsecdump (Truesec, sweden) work
on my systems, so i haven't been able to use that as another tool for
verifying datadumps and/or checking the integrity of Gsecdump output.

- ----
The first bug has basically f****d up several years of research for me,
at least until i figure out a simple way of adjusting all the hashes to
the correct column and user, for monthly datadumps across multiple
domains going years back in time.

The second "bug" is not that annoying, but fgdump/pwdump doesn't do
exactly as it says. I haven't checked to see if it dumps the correct
hashes for each generation yet, but i wonder if i should take a look at
that as well.

Best regards,
Per Thorsheim
"mrCracker"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10-svn4880 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmtMwMACgkQsXl+Y9DQrvZ8uwCgvnvAgbfyUn4KnZL19Gj+LZev
99AAn0GxYvYOEq75ulFYS/Hg6ChtDXYT
=D+lI
-----END PGP SIGNATURE-----




More information about the foofus-tools mailing list