In my last post I mentioned whosthere/iam were not working anymore with the latest updates for xp sp 3 (but iam-alt/whosthere-alt were still working).
Ok, I actually forgot I had added the -a switch to the tools to easily overcome this scenario :).
The only thing you have to do is load lsasrv.dll into IDA and run the passthehash.idc script included in the toolkit's source package and it will give you back the addresses you need to make whosthere/iam work.
For xp sp3 english with the latest patches the values are the following:
75753BE0:7573FDF4:757D0C98:757D0CA0:757CFC60:757CFE54
so, just run
whosthere -a 75753BE0:7573FDF4:757D0C98:757D0CA0:757CFC60:757CFE54
or
iam.exe [other options...] -a 75753BE0:7573FDF4:757D0C98:757D0CA0:757CFC60:757CFE54
and both tools will work with the latest patches on xp sp3 english.
If you have a different version of windows just use the IDA .idc script or email me.
11 comments:
I had issues in getting iam.exe to work. I tried the whosthere.exe with a local administrator and that seemed to work. But when I ran iam.exe I got something like an Unknown error or something like that. It was able to find the DLL addresses because that portion did not error out. The target was a Win XP SP2 US-English inside a VM. After running iam.exe when I did a net use * \\system_ip\C$, I kept getting Incorrect password and it would take me back to the password prompt. Do you know what could be happening? I was using the latest pshtoolkit.
Hi Rajat!,
I have no idea what's going on, need to test with an XP SP2.
If whosthere is working, iam should work too. If you say that iam was able to get all the needed addresses, then there's little that can fail from there.
Remember that all tools need to be run as an administrator.
However, doing a 'net use' alone is not a good way to test if iam worked or not.
It's better to run whosthere, iam and then whosthere again to check if the changes were made.
Also, do a net use and sniff the network traffic to verify the username and domain name you specified is sent over the network.
If you continue having this issues, please send me an email to hernan[[at]]gmail.com or move the discussion to the forums (www.hexale.org/forums) so we can continue analyzing the problem.
Thanks!,
Hernan
Hi Rajat,
Just tested with a fresh install of win xp sp2.
whosthere-alt and iam-alt work great.
whosthere and iam need specific addresses, send me your lsasrv.dll and I'll send you the addresses you need to use with the -A switch to make it work.
I'm mailing you the copy of lsasrv.dll in question.
Hi Rajat.
The lsasrv.dll you sent me appears to be for a windows 2003 sp2 machine, not a windows xp sp2..
have you tried iam-alt and whosthere-alt? they should work..
Anyways, I've sent you via email the addresses you need.
Thanks!,
Hernan
Hernan,
MS patches have modified my lsasrv.dll so much that even your IDC script fails. The function names you are looking for are NOT in my dll. My dll version is 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305)
Have MS decided to move this function to another module ?
ANyway - I know you have a day job - but if you have time I can send u my lsasrv.dll ??
you do good work
thanks
deros68
yes, send me your DLL please.
Hey, take a look of Pass the hash GUI, By Flacman at colombiaunderground.org
http://www.colombiaunderground.org/resources/PassTheHashGUI.rar
PD. I'm not a bot.
Hi Hernan,
I tried using the iam.exe on the Windows XP sp3 system. I used the IDC script in IDA Pro to find the addresses to use with lsasrv.dll. The addresses came out to be 75753C20:7573FE43:757D0C98:757D0CA0:757CFC60:757CFE54 which is slightly different from what you say in the blog. But this did not result in an error.
The section where iam.exe looks for the LSASS_PID of LSASS.EXE gave a result of 0x0. The actual PID was 854. The error I got was "An error was encountered when trying to change the current logon credentials". Would you have an idea about what could be happening?
If you are interested, against a French XPSP3, the correct adresses are :
whosthere -a 756D3BE0:756BFDF4:75750C98:75750CA0:7574FC60:7574FE54
Thanks Hernan !
Hi there, for those interested, Against a French xpsp3, the command would be:
whosthere -a 756D3BE0:756BFDF4:75750C98:75750CA0:7574FC60:7574FE54
Post a Comment