[foofus-tools] All in one (pwdump6, fgdump, medusa).

Richard Miles richard.k.miles at googlemail.com
Mon Mar 23 10:11:54 PDT 2009


It's my first e-mail to the list, I would like to thank you for the nice tools.

Let's go to the point...

A - I don't know why, but I have a Windows 2003 SP2 machine, and
fgdump.exe running locally ALWAYS fail (with admin credential OR

I'm using in this way:

fgdump7.exe -l C:\mydir\dump.log -h localhost -u admin -p mypass

But I always get errors like the service could not be started, or the
service already is running and appear to be detaching and things like

The good, is that pwdump6 work like a knife. :)

Is this a know problem? If there is some steps you want I reproduce to
try identify more accurate...

B - In this specific case, my output from pwdump6 do not have full
hash, it's like this:

user:18298:NO PASSWORD*********************:AE9B66EA07C92E0DAE170D937CC57C4D:::

What type is the first half of hash missing? The question is, there is
anyway to brute force it? Using rainbow tables?

Or how to use it in tools like Pass The Hash Toolkit.

C - I believe everybody should ask about it. Most AV today detect
pwdump6 and fgdump and make it a bit harder for use. Do you suggest me
some link to learn how to effectively avoid them?

D - The last, but not less important, Medusa. I have compiled it in a
RHE4 (CentOS 4 like). The point is that even with the glibc headers
kernel headers if failed, configure pointed that was missing a
com_err.h, which really do not exist, so I looked at internet and just
grabbed a copy and it worked fine.

What I'm noticing is that the Medusa work for some time (in average
try from 450 until 1300 passwords) and it say that it couldn't connect
anymore to the SQL Server.

I tried use option "-t 1" but did not solved.

A point is that the server continue up and running, if in the sequence
of the error I telnet to it, I can connect successful.

Don't know if it make difference, but I'm brute-forcing without
password list, so I use a long userlist and just test if for null
password and username as password.

By what I understand, when Medusa get a connection failed like this,
it should try more 3 times before fail and exit, right? But it do not
happen, it exist at first connection exit.

A interesting note, is that when it fail, it give a message that I
should enable pthread_cancel.

Very strange...

Is this a know problem to MSSQL module? Anyway to solve?

I never had used MSSQL module before...

Thank you all

More information about the foofus-tools mailing list