[foofus-tools] pwdump6

Keith Morrell keith.morrell at optusnet.com.au
Tue May 25 13:28:42 PDT 2010


Hi Johny...my thoughts on how I would like it to work (given my recent
experiences):

 

1.       Manually handle the AV product, as now (presumably) you are doing
this on (or to) a box you have full legal access to, and full admin rights
to work on. This is what I am doing anyway, as I have full support to do
what I'm doing.

2.       It seems the current version (which was probably never designed to
work with 3.5M users in an AD, and with all due respect and thanks to all
the contributors to the current product) has issues when the USERINFO array
gets large, so in my simple thoughts, it would be good if this array never
had to be "saved", and that each user/hash was output as it was read in (one
of my colleagues is looking at this as a "challenge", and in very simple
terms, assuming its possible, put the file writing code of pwdump.cpp inside
lsaext.c).

 

I note that fgdump, which is based on this code it seems, has a 20 minute
timeout, which is also why that doesn't work for me...

 

On a large AD, as USERINFO grows, I've observed the rate of extraction slows
considerably, so my main aim would be to rework how this array is handled,
or negate its need entirely...

 

Many thanks to all suggestions and advice...and I'm happy to assist with any
beta testing.

 

One question I have (as I don't understand its functioning fully), is could
I run this (64bit version) on a Windows7x64  PC hooking up to a local 32bit
Windows2003/AD server running in a VM (VMWare) running on the same box?  (I
might try this anyway....).....i.e what parts would run on my PC and what
parts (if any) would run on the AD (VM)?

 

Regards,

 

Keith Morrell

 

 

 

From: Johny Death [mailto:johnydeath at hotmail.com] 
Sent: Tuesday, 25 May 2010 10:15 PM
To: fizzgig at foofus.net
Cc: foofus-tools at lists.foofus.net
Subject: Re: [foofus-tools] pwdump6

 

Hi Guys,

just arrived in the middle of the thread and it's very interesting stuff - I
see Keith has success now which is great.

I'd like to get current opinions regarding best methodology of hash dumping
- my last encounter which was several months ago and ended with the DC
dropping because of McAfee - yes I've seen the warnings... afterwards.

Will ver3.0 alpha (and production) negate the need to turn off the AV, or
would it still be considered better to get the AV disabled for the period of
the audit/test?  If this is the case and if part of a pentest, then an
agreement would have to be made between customer and tester like 'well I
believe I can achieve a hash dump, but a) do you want me to prove it, and b)
if you do, then what do you want to do to manage the risk'. 

I read a while ago that Metasploit uses a 'safe' technique now?
http://blog.metasploit.com/2010/01/safe-reliable-hash-dumping.html

What does the floor think?

Keep up the good work - it's greatly appreciated


 

  _____  

Get a free e-mail account with Hotmail. Sign-up
<http://clk.atdmt.com/UKM/go/197222280/direct/01/>  now.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.foofus.net/pipermail/foofus-tools-foofus.net/attachments/20100526/72e29b4e/attachment-0004.htm>


More information about the foofus-tools mailing list