Wednesday, July 02, 2008

Release of Pass-The-Hash Toolkit v1.4

Source Code:
http://oss.coresecurity.com/pshtoolkit/release/1.4/pshtoolkit_v1.4-src.tgz

Win32 Binaries:
http://oss.coresecurity.com/pshtoolkit/release/1.4/pshtoolkit_v1.4.tgz

Documentation/info:
http://oss.coresecurity.com/projects/pshtoolkit.htm
http://oss.coresecurity.com/pshtoolkit/doc/index.html
http://hexale.blogspot.com
http://www.hexale.org/forums

What's new?:
(http://oss.coresecurity.com/pshtoolkit/release/1.4/WHATSNEW)

*Support for XP SP 3 for whosthere/iam (whosthere-alt/iam-alt work on xp sp3
without requiring any update)

*New -t switch for whosthere/whosthere-alt: establishes interval used by the -i switch (by default 2 seconds).

*New -a switch for whosthere/iam: specify addresses to use. Format: ADDCREDENTIAL_ADDR:ENCRYPTMEMORY_ADDR:FEEDBACK_ADDR:DESKEY_ADDR:LOGONSESSIONLIST_ADDR:LOGONSESSIONLIST_COUNT_ADDR (WARNING!: if you use the wrong values the system may crash)
The idea is that, if you find yourself in a version of Windows where
whosthere/iam don't work (and iam-alt/whosthere-alt don't work either); you can run LSASRV.DLL thru IDA, run the PASSTHEHASH.IDC script included in the Pass-The-Hash toolkit, and use the addresses found by the script with the -a switch.

This basically allows you to specify addresses at runtime to whosthere whithout
the need to recompile the tool.

*New -r switch for iam/iam-alt: Create a new logon session and run a command with
the specified credentials (e.g.: -r cmd.exe)

*genhash now outputs hashes using the LM HASH:NT HASH format

*several bugfixes and stuff

3 comments:

Casey said...

First off, excellent toolkit and thanks for your continued work on it! I have downloaded the latest version (1.4) and whosthere-alt.exe always works very well for me. However, I am having issues wiht Vista and get this return:

WHOSTHERE-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies
This tool lists the active LSA logon sessions with NTLM credentials.
use -h for help.
the output format is: username:domain:lmhash:nthash

Error in InjectDllAndCallFunctionError in InjectDllAndCallFunctionError in InjectDllAndCallFunctionError in InjectDllAndCallFunctionError in InjectDllAndCallFunctionError in InjectDllAndCallFunctionError in InjectDllAndCallFunctionError in InjectDllAndCallFunctionError in InjectDllAndCallFunctionError in InjectDllAndCallFunctionError in InjectDllAndCallFunctionError in InjectDllAndCallFunction

So, as you suggest, I load the LSASRV.dll into an IDA Pro demo version. (Please keep in mind I know almost nothing about reversing) I load the symbols and run the passthehash.idc script but seem to always get the following:

Compiling file 'C:\ToolKit\PSH1.4\passthehash.idc'...
Executing function 'main'...
?g_Feedback@@3_KA, addr = ffffffff
?g_pDESXKey@@3PAU_desxtable@@A, addr = ffffffff
?LogonSessionCount@@3KA, addr = ffffffff
?LogonSessionListCount@@3KA, addr = ffffffff
?LogonSessionList@@3U_LIST_ENTRY@@A, addr = ffffffff
Usually found in server 2003:
?LogonSessionList@@3PAU_LIST_ENTRY@@A, addr = ffffffff
#define _[OSDLLVER]_ADDCREDENTIAL_[LANGUAGE] (PBYTE)0x0
#define _[OSDLLVER]_ENCRYPTMEMORY_[LANGUAGE] (PBYTE)0x0
#define _[OSDLLVER]_FEEDBACK_ADDR_[LANGUAGE] (PBYTE)0xFFFFFFFF
#define _[OSDLLVER]_DESKEY_PTR_ADDR_[LANGUAGE] (PBYTE)0xFFFFFFFF

I would assume I am missing something. Any help would be greatly appreciated.

BTW - The Vista LSASRV.dll version I am running against is 6.0.6001.18000

Thanks again!

- Casey

hernan said...

Hi casey!,

1-If the IDC script is not picking up the addresses is probably because IDA did not download or locate the right symbols. Try using symchk to download the PDB yourself and have IDA use that .PDB file. Check out http://msdn.microsoft.com/en-us/library/cc267474.aspx to learn about symchk if you don't already know how to use it.

2-whosthere-alt is probably, as you noticed, not gonna work on windows vista at the moment. Try using whosthere.exe instead; although currently whosthere supports only certain versions of windows vista. However, if you send me your lsasrv.dll (from your Windows Vista installation) I can send you a working version of the tool for that version.

Muhammad Tariq said...
This comment has been removed by a blog administrator.