moyix / creddump Goto Github PK

The hashdump.py code used by pwdump.py yields corrupted hashes when extracting 
windows LM and NTLM hashes are extracted from SAM/SYSTEM files.

What steps will reproduce the problem?

1. A user who is not storing an LM hash
2. A system which has password histories enabled

What is the expected output? What do you see instead?

The expected output is the correct NT hash for the user.  However, an LM and 
NTLM hash are presented to the user.  Neither of these hashes are correct and 
will not crack.

What version of the product are you using? On what operating system?

Creddump2.0 on Windows XP <=> Windows 8 Pre-Release.  Windows 2000 is also 
expected to yield the same, but has not been tested yet.

Please provide any additional information below.

I've attached two files to this submission, one is a patch diff for a fix we've 
developed for the hashdump.py script and the other is the actual patched file.

This issue along with other extraction tools that are affected in a similar way 
will be discussed at BlackHat USA 2012 and DEFCON 20 in 2 weeks.

If you have questions, please let us know.

-Jonathan Claudius (@claudijd)
-Ryan Reynolds (@reynoldsrb)

C:\>python cachedump.py SYSTEM SECURITY
ERR: Couldn't find subkey PolSecretEncryptionKey of Policy


How do I obtain the subkey PolSecretEncryptionKey of Policy?


Thanks,
Enda

What steps will reproduce the problem?
1. ./cachedump.py sys sec


Traceback (most recent call last):
  File "./cachedump.py", line 32, in <module>
    dump_file_hashes(sys.argv[1], sys.argv[2])
  File "/root/Tars/creddump-0.1/framework/win32/domcachedump.py", line 114,
in dump_file_hashes
    for (u, d, dn, hash) in dump_hashes(sysaddr, secaddr):
  File "/root/Tars/creddump-0.1/framework/win32/domcachedump.py", line 67,
in dump_hashes
    bootkey = get_bootkey(sysaddr)
  File "/root/Tars/creddump-0.1/framework/win32/hashdump.py", line 116, in
get_bootkey
    class_data = sysaddr.read(key.Class.value, key.ClassLength.value)
AttributeError: 'NoneType' object has no attribute 'Class'

Fedora 8

> python pwdump.py system SAM 
Administrateur:500:XXXXXXXXXXXXXXXX:YYYYYYYYYYYYYYYY:::
Traceback (most recent call last):
  File "pwdump.py", line 31, in <module>
    dump_file_hashes(sys.argv[1], sys.argv[2])
  File "/tmp/cr/creddump-0.1/framework/win32/hashdump.py", line 244, in
dump_file_hashes
    dump_hashes(sysaddr, samaddr)
  File "/tmp/cr/creddump-0.1/framework/win32/hashdump.py", line 239, in
dump_hashes
    lmhash.encode('hex'), nthash.encode('hex'))
UnicodeEncodeError: 'ascii' codec can't encode character u'\xe9' in
position 5: ordinal not in range(128)

I guess it is because of the "Invité" account and the "é" character.


Thanks for this tools, I think it will be useful.

1. ./lsadump.py <system hive> <security hive>

ERR: Couldn't find subkey PolSecretEncryptionKey of Policy
Traceback (most recent call last):
  File "./lsadump.py", line 46, in <module>
    secrets = get_file_secrets(sys.argv[1], sys.argv[2])
  File "/pentest/passwords/creddump/framework/win32/lsasecrets.py", line 135, in get_file_secrets
    return get_secrets(sysaddr, secaddr)
  File "/pentest/passwords/creddump/framework/win32/lsasecrets.py", line 126, in get_secrets
    secret = decrypt_secret(enc_secret[0xC:], lsakey)
  File "/pentest/passwords/creddump/framework/win32/lsasecrets.py", line 66, in decrypt_secret
    block_key = key[j:j+7]
TypeError: 'NoneType' object is unsubscriptable

Version: 0.3 Date: 8/1/2012     on backtrack5r3 liveUSB 
If I try on the netbook with XP SP3 it works!!!
But when I try on the notebook with Win7 Home Premium 64bit it doesn't work!!!!