[foofus-tools] Possible BUGS in fgdump/pwdump

Wed Mar 4 08:12:37 PST 2009

Per Thorsheim wrote:
> There seems to be one or more bugs in fgdump/pwdump, seriously messing
> up the integrity of your output. I've posted a thread about this on
> Cains forum (http://oxid.netsons.org/phpBB2/viewtopic.php?t=3116), as i
> first noticed it while using Cain, and i thought the problem was there.
> A little more testing clears Cain of any suspicion, leaving fizzgig to
> do the explanations. :-)

I love explaining fun problems! :)

> In short it seems as if User1 doesn't have an LM hash stored, User1's
> NTLM hash will take the place of the LM hash, while the next users LM
> hash suddenly becomes the NTLM hash of User1. No wonder hash values
> becomes "uncrackable". :-)

I am not able to reproduce this problem. I've got a mix of accounts both
with and without LM hashes, and all appear correct (they are in-sync
with Cain). I also have not ever heard this complaint before, though
it's certainly possible something odd is going on here. Does this ONLY
happen with history hashes or something? Any more specifics about exact
cases when this happens?

> ----
> Second "bug" in pwdump/fgdump: missing history hashes. In order to
> figure out the above, i dumped a 10K+ accounts domain (W2K3SP1 English),
> using fgdump, pwdump and Cain (all the latest versions as of February
> 25th, 2009). Password history is set to 24.

This one is still strange to me. I posted a "testing" version out to the
site at:

http://www.foofus.net/fizzgig/pwdump/PwDump-2.0.0-beta2-history-test.zip

If you would not mind running it and sending me the output, that would
be great. Feel free to remove the hashes - I am only interested in the
history counters really.

> Also i'm having serious problems making Gsecdump (Truesec, sweden) work
> on my systems, so i haven't been able to use that as another tool for
> verifying datadumps and/or checking the integrity of Gsecdump output.

I'm not familiar with this tool I'm afraid.

> The first bug has basically f****d up several years of research for me,
> at least until i figure out a simple way of adjusting all the hashes to
> the correct column and user, for monthly datadumps across multiple
> domains going years back in time.

Are you certain all the data is fubared? Is there a way of verifying its
integrity historically speaking? Maybe this was an issue for just one
version or something, though as I said, I cannot seem to reproduce it at
all.

> The second "bug" is not that annoying, but fgdump/pwdump doesn't do
> exactly as it says. I haven't checked to see if it dumps the correct
> hashes for each generation yet, but i wonder if i should take a look at
> that as well.

Honestly, I don't think I've ever encountered a system with more than 10
or so history sets, so it's never manifested itself before. Hopefully
the test version will let me get to the bottom of it.

Let me know the results.