[foofus-tools] KM-pwdump...experiment-success (3,655,856 users)

Keith Morrell keith.morrell at optusnet.com.au
Mon May 24 13:57:33 PDT 2010


6:31am...finally it finished (well at 3:34am...and looks to be successful)!
Run time just under nine hours.

Run with these switches: pwdump-v4 -o hashdump.txt -u administrator -p
password -n localhost

So the issue seems to be directly related to the size of the USERINFO
array...and it does run slower as it goes along, so might still be some more
optimising to be done somewhere?? At first it was running (according to the
rough trace output) at a pace that would have had it finished in around 4-5
hours..but it took almost 9 hours.e.g. after 22 mins it has done 253k users,
so ~700k/hour.

I did notice at the midpoint (~12am) that the memory usage for the machine
was flicking between 2.23GB and 2.50GB but never higher.looked like 2.50GB
was some sort of ceiling it was banging off maybe??


My fix  was quite crude but seems to work for me in this case:

PwDump.cpp:

typedef struct _USERINFO
{
	char cHash[64];		// Stores NTLM and LanMan hash data
	wchar_t wszUser[28];	// Stores the user's name
} USERINFO, *LPUSERINFO;


LsaExt.c:

#define USER_BUFFER_LENGTH 28

typedef struct _USERINFO
{
	char cHash[64];		// Stores NTLM and LanMan hash data
	wchar_t wszUser[28];	// Stores the user's name
} USERINFO, *LPUSERINFO;


These are in addition to these two suggestions in the same module:
 
void SendStatusMessage(char* szMessage, ...)
.....
if (hPipe != NULL && hPipe != INVALID_HANDLE_VALUE)
	{
		WriteFile(hPipe, szData, sizeof(USERINFO) + 3,
&cbTotalBytes, NULL);
		FlushFileBuffers(hPipe); 
		// ResetPipe();
	}


__declspec(dllexport)GetHash(LPCTSTR lpszPipeName, BYTE* pEncryptionKey,
DWORD dwKeyLen, BOOL bSkipHistories)
....
		//  enumRc = pSamrEnumerateUsersInDomain(hDomain, &dwEnum,
0, &pEnum, 1000, &dwNumber);
		enumRc = pSamrEnumerateUsersInDomain(hDomain, &dwEnum, 0x10,
&pEnum, 1000, &dwNumber);


Partial Log:

E:\pwd-test-v4>pwd

E:\pwd-test-v4>echo 18:38:13.88
18:38:13.88

E:\pwd-test-v4>pwdump-v4 -o hashdump.txt -u administrator -p password -n
localhost

pwdump6 Version 2.0.0-beta-2 by fizzgig and the mighty group at foofus.net
** THIS IS A BETA VERSION! YOU HAVE BEEN WARNED. **
Copyright 2009 foofus.net


Waiting for remote service to terminate...
Servers with many user accounts can take several minutes
1824
2515
3197
3933
4733
6441
.....
3645610
3646841
3647974
3648999
3650150
3651481
3652778
3654007
3655129

Outputting data for array of size: 3655856
Completed.

E:\pwd-test-v4>echo  3:34:19.15
 3:34:19.15

E:\pwd-test-v4>

Keith
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.foofus.net/pipermail/foofus-tools-foofus.net/attachments/20100525/9d2ed121/attachment-0003.htm>


More information about the foofus-tools mailing list