Jump to content

Cain & Able


Ethan Hunt
 Share

Recommended Posts

Ok so I was messing around in cain&able and tried the "Dump LSA Secrets" tool. It got my default windows password... Does anyone know how does it do that? I already have the LM hashes turned off in the registry if this actually has anything to do with that. I should mention that I'm logged in as an admin when trying this...

Thanks...

Link to comment
Share on other sites

Yeah I kinda understood that by reading the help a little bit. But here's the thing.. Doesn't pwdump just give the lm hashes? Or am I missing something here? Or does it go to the SAM file and give the password from there? Is the SAM file there although I've turned my lm hashes off in the registry? And one funny things is that this is what I get: For example:

DefaultPassword

64 00 61 00 73 00 65 00 64 00 62 00 61 00 6D 00 p.a.s.s.w.o.r.d

So the " p.a.s.s.w.o.r.d " is the actually windows password in almost clean text format...

More info??..

Link to comment
Share on other sites

Ethan Hunt, you wouldn't happen to know what ASCII or UTF-16 is would you? Does "dasedba" has any significance to you? Is that your password? I hope not. If it is, change it now!!!!

Its generally a good idea not to post anything directly related to your password in a forum. Even if you think its harmless.

Link to comment
Share on other sites

4E6F7420736F206272696768742C206172652077653F

Link to comment
Share on other sites

So the string of characters is actually the ascii code of the password itself?? Is that what ur saying... BTW: DOn't worry I changed the code before posting so 'dasedba' doesn't actually mean anything to me :D roflmao... Of course this still doesn't actually answer my question...

Link to comment
Share on other sites

So the string of characters is actually the ascii code of the password itself?? Is that what ur saying... BTW: DOn't worry I changed the code before posting so 'dasedba' doesn't actually mean anything to me :D roflmao... Of course this still doesn't actually answer my question...

Well, Thats good. As soon as I noticed that the hex didn't match the password I got concerned.

And this is what manual has to say about dumping LSA secrets.

How it works

This feature of the program follows the same methodology used by Todd Sabin in his PWDUMP2 program to decrypt LSA secrets present on the system. It uses the "DLL injection" technique to run a thread in the same security context of the Local Security Authority Subsystem process. The thread's executable code must first be copied to the address space of LSASS process and this requires an account with the SeDebugPrivilege user right. By default only Administrators have this right.

Once injected and executed the thread will run with the same access privileges of the Local Security Authority Subsystem; it will load the function "DumpLsa" from Abel.dll which will open and query each secret using the LsarOpenSecret and LsarQuerySecret APIs from LSASRV.DLL. The thread stores the data returned from these functions in a temporary file named lsa.txt located in the same directory of the program. Finally, the content of this file is put on the screen and the temporary file is deleted.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...