moyix / creddump Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/creddump
License: GNU General Public License v3.0
Automatically exported from code.google.com/p/creddump
License: GNU General Public License v3.0
The hashdump.py code used by pwdump.py yields corrupted hashes when extracting
windows LM and NTLM hashes are extracted from SAM/SYSTEM files.
What steps will reproduce the problem?
1. A user who is not storing an LM hash
2. A system which has password histories enabled
What is the expected output? What do you see instead?
The expected output is the correct NT hash for the user. However, an LM and
NTLM hash are presented to the user. Neither of these hashes are correct and
will not crack.
What version of the product are you using? On what operating system?
Creddump2.0 on Windows XP <=> Windows 8 Pre-Release. Windows 2000 is also
expected to yield the same, but has not been tested yet.
Please provide any additional information below.
I've attached two files to this submission, one is a patch diff for a fix we've
developed for the hashdump.py script and the other is the actual patched file.
This issue along with other extraction tools that are affected in a similar way
will be discussed at BlackHat USA 2012 and DEFCON 20 in 2 weeks.
If you have questions, please let us know.
-Jonathan Claudius (@claudijd)
-Ryan Reynolds (@reynoldsrb)
Original issue reported on code.google.com by [email protected]
on 8 Jul 2012 at 8:00
Attachments:
C:\>python cachedump.py SYSTEM SECURITY
ERR: Couldn't find subkey PolSecretEncryptionKey of Policy
How do I obtain the subkey PolSecretEncryptionKey of Policy?
Thanks,
Enda
Original issue reported on code.google.com by [email protected]
on 17 May 2013 at 12:35
What steps will reproduce the problem?
1. ./cachedump.py sys sec
Traceback (most recent call last):
File "./cachedump.py", line 32, in <module>
dump_file_hashes(sys.argv[1], sys.argv[2])
File "/root/Tars/creddump-0.1/framework/win32/domcachedump.py", line 114,
in dump_file_hashes
for (u, d, dn, hash) in dump_hashes(sysaddr, secaddr):
File "/root/Tars/creddump-0.1/framework/win32/domcachedump.py", line 67,
in dump_hashes
bootkey = get_bootkey(sysaddr)
File "/root/Tars/creddump-0.1/framework/win32/hashdump.py", line 116, in
get_bootkey
class_data = sysaddr.read(key.Class.value, key.ClassLength.value)
AttributeError: 'NoneType' object has no attribute 'Class'
Fedora 8
Original issue reported on code.google.com by [email protected]
on 2 May 2008 at 3:40
> python pwdump.py system SAM
Administrateur:500:XXXXXXXXXXXXXXXX:YYYYYYYYYYYYYYYY:::
Traceback (most recent call last):
File "pwdump.py", line 31, in <module>
dump_file_hashes(sys.argv[1], sys.argv[2])
File "/tmp/cr/creddump-0.1/framework/win32/hashdump.py", line 244, in
dump_file_hashes
dump_hashes(sysaddr, samaddr)
File "/tmp/cr/creddump-0.1/framework/win32/hashdump.py", line 239, in
dump_hashes
lmhash.encode('hex'), nthash.encode('hex'))
UnicodeEncodeError: 'ascii' codec can't encode character u'\xe9' in
position 5: ordinal not in range(128)
I guess it is because of the "Invité" account and the "é" character.
Thanks for this tools, I think it will be useful.
Original issue reported on code.google.com by [email protected]
on 23 Mar 2009 at 8:03
Is it possible to get hash value for SYSTEM account.
As written in Documentation usage
usage: ./pwdump.py <system hive> <SAM hive>
.
Suppose, I have a local SAM file (say in the same directory as of pwdump.py) , and I want to extract password hashes from it, what will be the values of the arguments <system hive>
and <SAM hive>
?
Thanks!
1. ./lsadump.py <system hive> <security hive>
ERR: Couldn't find subkey PolSecretEncryptionKey of Policy
Traceback (most recent call last):
File "./lsadump.py", line 46, in <module>
secrets = get_file_secrets(sys.argv[1], sys.argv[2])
File "/pentest/passwords/creddump/framework/win32/lsasecrets.py", line 135, in get_file_secrets
return get_secrets(sysaddr, secaddr)
File "/pentest/passwords/creddump/framework/win32/lsasecrets.py", line 126, in get_secrets
secret = decrypt_secret(enc_secret[0xC:], lsakey)
File "/pentest/passwords/creddump/framework/win32/lsasecrets.py", line 66, in decrypt_secret
block_key = key[j:j+7]
TypeError: 'NoneType' object is unsubscriptable
Version: 0.3 Date: 8/1/2012 on backtrack5r3 liveUSB
If I try on the netbook with XP SP3 it works!!!
But when I try on the notebook with Win7 Home Premium 64bit it doesn't work!!!!
Original issue reported on code.google.com by [email protected]
on 31 Aug 2012 at 9:43
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.