Ethan Hunt Posted March 2, 2007 Share Posted March 2, 2007 Ok so I was messing around in cain&able and tried the "Dump LSA Secrets" tool. It got my default windows password... Does anyone know how does it do that? I already have the LM hashes turned off in the registry if this actually has anything to do with that. I should mention that I'm logged in as an admin when trying this... Thanks... Quote Link to comment Share on other sites More sharing options...
Deveant Posted March 2, 2007 Share Posted March 2, 2007 it uses the LSASS.exe, same as pwdump.exe Quote Link to comment Share on other sites More sharing options...
Ethan Hunt Posted March 2, 2007 Author Share Posted March 2, 2007 Yeah I kinda understood that by reading the help a little bit. But here's the thing.. Doesn't pwdump just give the lm hashes? Or am I missing something here? Or does it go to the SAM file and give the password from there? Is the SAM file there although I've turned my lm hashes off in the registry? And one funny things is that this is what I get: For example: DefaultPassword 64 00 61 00 73 00 65 00 64 00 62 00 61 00 6D 00 p.a.s.s.w.o.r.d So the " p.a.s.s.w.o.r.d " is the actually windows password in almost clean text format... More info??.. Quote Link to comment Share on other sites More sharing options...
psychoaliendog Posted March 2, 2007 Share Posted March 2, 2007 Ethan Hunt, you wouldn't happen to know what ASCII or UTF-16 is would you? Does "dasedba" has any significance to you? Is that your password? I hope not. If it is, change it now!!!! Its generally a good idea not to post anything directly related to your password in a forum. Even if you think its harmless. Quote Link to comment Share on other sites More sharing options...
digip Posted March 3, 2007 Share Posted March 3, 2007 4E6F7420736F206272696768742C206172652077653F Quote Link to comment Share on other sites More sharing options...
Ethan Hunt Posted March 3, 2007 Author Share Posted March 3, 2007 So the string of characters is actually the ascii code of the password itself?? Is that what ur saying... BTW: DOn't worry I changed the code before posting so 'dasedba' doesn't actually mean anything to me :D roflmao... Of course this still doesn't actually answer my question... Quote Link to comment Share on other sites More sharing options...
psychoaliendog Posted March 3, 2007 Share Posted March 3, 2007 So the string of characters is actually the ascii code of the password itself?? Is that what ur saying... BTW: DOn't worry I changed the code before posting so 'dasedba' doesn't actually mean anything to me :D roflmao... Of course this still doesn't actually answer my question... Well, Thats good. As soon as I noticed that the hex didn't match the password I got concerned. And this is what manual has to say about dumping LSA secrets. How it worksThis feature of the program follows the same methodology used by Todd Sabin in his PWDUMP2 program to decrypt LSA secrets present on the system. It uses the "DLL injection" technique to run a thread in the same security context of the Local Security Authority Subsystem process. The thread's executable code must first be copied to the address space of LSASS process and this requires an account with the SeDebugPrivilege user right. By default only Administrators have this right. Once injected and executed the thread will run with the same access privileges of the Local Security Authority Subsystem; it will load the function "DumpLsa" from Abel.dll which will open and query each secret using the LsarOpenSecret and LsarQuerySecret APIs from LSASRV.DLL. The thread stores the data returned from these functions in a temporary file named lsa.txt located in the same directory of the program. Finally, the content of this file is put on the screen and the temporary file is deleted. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.