Nmap Development mailing list archives
Re: [NSE] pwdump script
From: "Raul Siles" <raul.siles () gmail com>
Date: Tue, 6 Jan 2009 13:23:07 +0100
Hi Ron, I think it is a good addition to the nmap users arsenal, and as it is just a NSE script, its usage is optional. I would add to it pass-the-hash capabilities to authenticate against the remote system, with a new option (smbhash), such as: $ ./nmap -d -p139,445 --script=smb-pwdump --script-args=smbhash=<hash> <host> The <hash> should be on the LM:NTLM format. Thanks, -- Raul Siles www.raulsiles.com On Mon, Jan 5, 2009 at 4:10 AM, Ron <ron () skullsecurity net> wrote:
Hi all, I wanted to get people's opinions on a NSE script that I'm in the process of writing (well, almost finished writing). Basically, using the remote files included with pwdump6, and an administrator-level account, it dumps the password hashes from the target system. (the .exe and .dll that are required are run on the remote system, not the local system, so it doesn't matter which OS you're coming from). For what it's worth, I got permission from the copyright holder of the pwdump/fgdump tools to use and distribute their executables, but I think it's a good idea to ask people to download them (if for no other reason, then because I don't want Nmap to be picked up by antivirus software -- the necessary files are). I also CCed him on this email. You can try it out yourself by using my svn version. This is how I do it (sorry if this is wrapped): svn co --username guest --password "" svn://svn.insecure.org/nmap-exp/ron/nmap-smb cd nmap-smb ./configure && make cd nselib/data wget http://swamp.foofus.net/fizzgig/pwdump/pwdump6-1.7.2-exe-only.tar.bz2 tar -xvjf pwdump6-1.7.2-exe-only.tar.bz2 servpw.exe lsremora.dll cd ../.. export NMAPDIR=. ./nmap -d -p139,445 --script=smb-pwdump --script-args=smbuser=<username>,smbpass=<password> <host> Here is example output: Host script results: | smb-pwdump: | Administrator:500:D702A1D01B6BC2418112333D93DFBB4C:C8DBB1CFF1970C9E3EC44EBE2BA7CCBC::: | ASPNET:1001:359E64F7361B678C283B72844ABF5707:49B784EF1E7AE06953E7A4D37A3E9529::: | blankadmin:1003:NO PASSWORD*********************:NO PASSWORD*********************::: | blankuser:1004:NO PASSWORD*********************:NO PASSWORD*********************::: | Guest:501:NO PASSWORD*********************:NO PASSWORD*********************::: | Ron:1000:D702A1D01B6BC2418112333D93DFBB4C:C8DBB1CFF1970C9E3EC44EBE2BA7CCBC::: |_ test:1002:D702A1D01B6BC2418112333D93DFBB4C:C8DBB1CFF1970C9E3EC44EBE2BA7CCBC::: The format is the standard style (except for the leading '|' from Nmap), which can be used in most standard password cracking programs. Currently, it'll only work against server versions of Windows (2000 and 2003) -- I have to re-write some of my authentication logic to run against XP, and I have my doubts that it'll work on Vista and above. Also, it'll currently work only if there's a writeable C$ share -- that's definitely going to change before I'm done. This script probably isn't the most useful, directly, because it requires an account (if you run it along with smb-brute.nse, it'll attempt to use accounts it finds). That being said, finding a tool that can remotely dump hashes from Linux isn't easy (Metasploit is one way, but it's even more invasive than this). Instead, this is more of a demonstration about how NSE can be used for more than scanning, but for deeper pen-testing work. Speaking of invasive, the way this script works is by uploading the .exe/.dll to the remote system and executing them as a service. Whereas some tools are about evading detection, I wrote this with cleaning in mind -- it doesn't attempt to evade AV software, and it does its absolute best to clean itself up in every circumstance. The hashes dumped can potentially be used to log into other systems where users have the same password. As such, an eventual goal (and I don't think this is possible (or at least easy) with the way NSE is right now) is to collect hashes and try them on other systems to dump hashes from them. So, as you go along, you'd be collecting password hashes across the network. So, for example, if System A has a weak admin password and a handful of users have accounts there, those users' password hashes are now compromised. Those hashes can be used to log into Systems B, C, and D, where more hashes can be stolen, and so on. As you can see, this is leading far more into pen-testing than NSE normally does, but it's incredibly cool stuff. There are a lot of other things you can do once you're running a program on the remote system. Anything, really. But here are some thoughts that I had: - Take a screenshot of the system - Dump DNS/ARP cache - Dump protected storage - Find WEP/WPA keys Any of these would be relatively easy to do using the framework I wrote for pwdump. All of this, of course, would require getting the admin password first (but it only takes one box with a weak password). So, any comments or questions? I'm pretty excited about the possibilities that this tool has. Ron -- Ron Bowes http://www.skullsecurity.org/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE] pwdump script Ron (Jan 04)
- Re: [NSE] pwdump script Raul Siles (Jan 06)
- Re: [NSE] pwdump script Ron (Jan 06)
- Re: [NSE] pwdump script David Fifield (Feb 11)
- Re: [NSE] pwdump script Ron (Feb 11)
- Re: [NSE] pwdump script David Fifield (Feb 11)
- Re: [NSE] pwdump script Ron (Feb 11)
- Re: [NSE] pwdump script Kristof Boeynaems (Feb 12)
- Re: [NSE] pwdump script Ron (Feb 12)
- Re: [NSE] pwdump script Ron (Feb 11)
- Re: [NSE] pwdump script Raul Siles (Jan 06)