Friday, January 18, 2008

New version of Pass-The-Hash Toolkit about to be released!


I'm about to release a new version of Pass-The-Hash Toolkit. I can't remember all the things fixed and things that changed, but they are on a file somewhere :), some of them include:

* The elimination of the "-B" switch, now the tool does what it has to do without requiring anything from you
* the output from whosthere.exe is now shorter and the format credentials are presented can now be directly used with l0phtcrack or anything like that (although, doing so kind of goes against the very nature of the iam.exe tool :), but it's ok, for some scenarios you want to know the plaintext password).
* All the extra info displayed by whosthere.exe before is still available via the -D switch (D as in debug info :)).
* Added support for several windows versions and languages

So, before I release the next version, it would be great if you can send me an email to with errors you might have found and want fixed, ideas for new features, etc. please, write! :).


Anonymous said...

I have a question for you: in the old version's documentation you said that is possible to use your toolkit with cachedump password output... but I didn't find a way to do that.
Can you provide some further documentation do this with the new release?

Anonymous said...

I'm really looking forward to your new release!

Anonymous said...


Whosthere doesn't work because a new version of LSASRV.DLL is arrived this january 2008.
see KB943485

thank you

hernan said...


whosthere.exe and iam.exe have already being updated to work with KB943485.

If you need this updated version right now, please send me an email and I'll send it to you right away; otherwise I'll release the 'official' version soon.

hernan said...

With regards to cachedump's output.

The new version of whosthere.exe gives you the credentials info in 'l0phtcrack's format' and i'm updating iam.exe to accept the same format.

I think this format is similar/the same as the format used by cachedump. If it is not, please send me an email.

hernan said...

answering to one of the anonymous posts :):

Ahh, I know get your question regarding 'cachedump' and the answer is NO :), pass-the-hash will not work with the cachedump output directly, that was not what I meant, bad writing, sorry :).

Anonymous said...

tnx for your reply hernan, so the answer is NO.... directly... do you know if cachedump's output can be converted in some Pass The Hash Toolkit readable format? I suppose the answer is NO again but I'm asking just to make sure...

Thank you very much for your patience...

hernan said...

According to this:

the 'password' you get from cachedump is actually this:

MSCASH = MD4( MD4(password ) || lowercase(username) )

is not an LM/NThash of the password that you can use directly to authenticate, you need to recover the password via a brute-force/dictionary attack. So, this cannot be used directly by the pass-the-hash toolkit.

I just tried to download different cache dumpers to try them out but none worked for some reason..

If you have any other information and/or you think what is said in the link I mentioned above is not accurate, please let me know!.

Anonymous said...

thanks for your reply, same thing I thought.

Too bad :-)