Friday, August 17, 2007

Pass-The-Hash Toolkit and LSASRV.DLL

One quick note: IAM.EXE reads at specific locations of LSASRV.DLL's address space to obtain data necessary to encrypt the credentials before changing them and other stuff. For that reason, IAM.EXE has specific code that checks for the LSASRV.DLL version present on the system where it is run, and if it does not match with the ones I know, the program exits.

The idea behind this is to avoid situations where you would run the tool in a system that doesn't have the correct LSASRV.DLL version most likely crashing the LSASS.EXE process and having to reboot your machine. not good :).

So, if you run IAM.EXE and get something like this:

Checking LSASRV.DLL....Unknown LSASRV.DLL.
LSASRV.DLL: 00050001h. A280884h

It means I don't know about your DLL version. Please send me an email with the version number you have and I'll do my best to get a hold of a copy of that exact DLL version to solve the issue. (when you are at it, also send me the text representation of the DLL version just in case , just rigth-click the DLL, properties->Version->File
Version, and also the language of your windows installation, etc.)

I'll try to come up with a generic solution for this, but since the tool is mostly intended to be run on your own machine and not to be used to compromise a machine or whatever, I didn't think it would matter much to make it generic. This should not be difficult to implement.

On the other hand, WHOSTHERE.EXE does not have such checks because it only reads memory, so when it fails, you only get invalid output; the worst thing that can happen is WHOSTHERE.EXE itself crashing.

6 comments:

Anonymous said...

Is this why I get "Cannot read IV from LSASS!." on Win2k3?

hernan said...

yes, actually, I removed from whosthere.exe v1.0 all the code that lists the hashes for win2k3 because I was tired on testing different LSASRV.DLL/OS version combinations and wanted to release the tool :). I'm going to release a new version of the tools that support more platforms soon.

Brad said...

Hernan,

First of all...awesome work.

Second: what would it take to get a newer version of the tools that works on more platforms? Do you need copies of the various DLLs from all the OSes? A donation?

We really would like to use this kit on more environments!

Thanks!

hernan said...

Hi Brad!,

Thanks for your comments!.

Yes, I need the LSASRV.DLL for the different OSes you want support for. Just send me and email and we can discuss how to add support for the platforms you want.

A month ago or so I released v1.1 of the toolkit which supports more platforms.

Since then, some people sent me the necessary info to add more platforms, a few are already there, the upcoming version of the tool will contain support for more platforms.

A donation is not necessary :), just bare with me as I try to have time to work on the tool.

Thanks!

stewart said...

The whosethere tool is still crashing on a windows 2003 server. (english) version. Is this suppose to be the case?

hernan said...

Please send me an email to hernan@gmail.com, I'll fix it.
the tool is expecting to not work in some versions of windows, but with a little work I can adapt it to any version.

So, please, send me an email!.

Thanks!,
Hernan