Tuesday, September 04, 2007

Pass-The-Hash Toolkit v1.1 Released

I just released Pass-The-Hash Toolkit v1.1. This release has support for more targets, including german/french versions of Windows XP SP2, and also Windows Server 2003. I added a -B switch that tells IAM.EXE and WHOSTHERE.EXE to look for the necessary memory addresses in runtime using some 'heuristics', this should also make it work on more targets.

I expect people to continue having issues on some platforms because the things the tool does are dependant on certain memory areas that vary from OS version to OS version, so, if you have issues, please let me know, most of the time is very easy to add support for your platform to the tool.

The source code is available here.

The binaries are available here


-Improved support for windows xpsp2 german/french, windows 2003 sp1/sp2, both for
-Added to IAM.EXE and WHOSTHERE.EXE the -B switch. If IAM.EXE or WHOSTHERE.EXE is
not working in your configuration, please run the tools again specifying -B at the end.
The -B option will try to find, using 'heuristics', the addresses the tools need
to do what they do. If you are still having issues, please let me know, I expect people
to have issues because the addresses vary from OS version to OS version.

Note for Windows Server 2003 users:

-if you run IAM.EXE and it ends as expected, as If it had worked, but then you run
WHOSTHERE.EXE and the credentials did not change, do the following:

-start a cmd.exe using runas, for example:

runas /user:administrator cmd.exe

-and in the new console run IAM.EXE, and then WHOSTHERE.EXE to verify. And now
it should work.

It seems that sometimes you need a new session different than the interactive
session for LSASS.EXE to accept the modifications to the credentials in memory. If
you are logging to the machine remotely using psexec/Remote Desktop etc this does
not to occur (at least, this is what I observed), I had troubles like this when
logging interactively to the server. Also after you run 'runas', running IAM.EXE
in a regular CMD.EXE shell will start working. Don't take any of this as
a precise explanation of what's going on, this is just what I observed and a way
to work around it. I'll analyze what's really going on in the future..

1 comment:

Anonymous said...

Hey Hernan, Fantastic tool and thanks for help me out troubleshooting my stupidity :-). MC