CBTU presents Ethical Hacker training course based on

by

Module 5: System hacking

Section 5.19: Pwdump and Hash Suite

Note: All the logos, trademarks are copyrights of the respective companies. CEH is the trademark of EC-Council (www.eccouncil.org).
Caution: Ethical Hacker course is for educational purpose only and NOT to be used for unethical, illegal and malicious
activities. All over the world Cyber Laws enforce strict punishments for violation of ethics, gaining unauthorized access to
any computer system/network and related illegal activities.
 Pwdump
• Pwdump is the name of various Windows programs
that output the LM and NTLM password hashes of
local user accounts from the Security Account
Manager (SAM).
• Pwdump could be said to compromise security
because it could allow a malicious administrator to
access user's passwords.
Password Dumper - pwdump7 ( v7.1 )
www.tarasco.org have developed a new password
dumper for windows named PWDUMP7.
Pwdump7 tool runs by extracting the binary SAM and
SYSTEM File from the Filesystem and then the hashes
are extracted.
Pwdump7 is also able to extract passwords offline by
selecting the target files.
 pwdump7

http://passwords.openwall.net/b/pwdump/pwdump7.zip
http://hashsuite.openwall.net/
 Pwdump - history
• 1997 - The initial program pwdump was written by
Jeremy Allison.
• 2006 - pwdump6 - by fizzgig (GPL), improvement of
pwdump3e.
• pwdump7 — by Andres Tarasco (freeware), uses own file
system drivers. No source code.
 LM hash
• LM hash is a compromised password hashing
function that Microsoft LAN Manager and Microsoft
Windows versions prior to Windows NT used to store
user passwords.
• Support for the legacy LAN Manager protocol, but
was recommended by Microsoft to be turned off by
administrators; as of Windows Vista, the protocol is
disabled by default.
 LAN Manager
• LAN Manager was a Network Operating System
(NOS) available from multiple vendors and developed
by Microsoft in cooperation with 3Com Corporation.
It was designed to succeed 3Com's 3+Share network
server software which ran atop modified version of
MS-DOS.
 NT LAN Manager (NTLM)
• NT LAN Manager (NTLM) is a suite of Microsoft security protocols
that provides authentication, integrity, and confidentiality to
users.
• NTLM is the successor to the authentication protocol in LANMAN.
• The NTLM protocol suite is implemented in a Security Support
Provider, which combines the LAN MAN authentication protocol,
NTLM Session protocols in a single package.
• NTLM passwords are weak as they can be brute-forced very easily
with modern hardware.
 Security Account Manager (SAM)
• SAM is a database file in Windows XP, Vista, Win 7 that
stores users' passwords. It can be used to authenticate
local and remote users.
• The user passwords are stored in a hashed format in a
registry hive either as a LM hash or as a NTLM hash.
• This file can be found in
%SystemRoot%/system32/config/SAM and is mounted
on HKLM/SAM.
 Copying SAM file
• The SAM file cannot be moved or copied while Windows is
running, since the Windows kernel keeps an exclusive
filesystem lock on the SAM file, and will not release that lock
until the operating system has shut down or a "Blue Screen of
Death" exception has been thrown.
• However, the in-memory copy of the contents of the SAM can
be dumped using pwdump for offline brute-force attack.
 Removing LM hash
• LM hash is a compromised protocol and has been
replaced by NTLM hash.
• Most versions of Windows can be configured to disable
the creation and storage of valid LM hashes when the
user changes their password. Windows Vista and later
versions of Windows disable LM hash by default.
https://blog.quarkslab.com/quarks-pwdump.html
http://pogostick.net/~pnh/ntpasswd/
 pwdump6
pwdump6 by fizzgig
Windows 2000/XP/2003/Vista, free (GPL v2)
Download local copy of pwdump6 1.7.2 in ZIP (1268
KB) or tar.bz2 format (1103 KB)
pwdump6 is a significantly modified version of
pwdump3e. This program is able to extract NTLM
and LanMan hashes from a Windows target.
http://passwords.openwall.net/b/pwdump/pwdump6-1.7.2.zip
Thanks for watching
Visit us at: CBTUniversity.com
Write to us at: learnq@cbtuniversity.com
Reach us at:  +91 963 246 5599