Saturday, May 09, 2009

fix for whosthere/iam under XP SP3 with latest updates (May 2009)

In my last post I mentioned whosthere/iam were not working anymore with the latest updates for xp sp 3 (but iam-alt/whosthere-alt were still working).

Ok, I actually forgot I had added the -a switch to the tools to easily overcome this scenario :).

The only thing you have to do is load lsasrv.dll into IDA and run the passthehash.idc script included in the toolkit's source package and it will give you back the addresses you need to make whosthere/iam work.

For xp sp3 english with the latest patches the values are the following:

75753BE0:7573FDF4:757D0C98:757D0CA0:757CFC60:757CFE54

so, just run

whosthere -a 75753BE0:7573FDF4:757D0C98:757D0CA0:757CFC60:757CFE54

or

iam.exe [other options...] -a 75753BE0:7573FDF4:757D0C98:757D0CA0:757CFC60:757CFE54

and both tools will work with the latest patches on xp sp3 english.

If you have a different version of windows just use the IDA .idc script or email me.

11 comments:

Rajat Swarup said...

I had issues in getting iam.exe to work. I tried the whosthere.exe with a local administrator and that seemed to work. But when I ran iam.exe I got something like an Unknown error or something like that. It was able to find the DLL addresses because that portion did not error out. The target was a Win XP SP2 US-English inside a VM. After running iam.exe when I did a net use * \\system_ip\C$, I kept getting Incorrect password and it would take me back to the password prompt. Do you know what could be happening? I was using the latest pshtoolkit.

hernan said...

Hi Rajat!,

I have no idea what's going on, need to test with an XP SP2.

If whosthere is working, iam should work too. If you say that iam was able to get all the needed addresses, then there's little that can fail from there.

Remember that all tools need to be run as an administrator.

However, doing a 'net use' alone is not a good way to test if iam worked or not.

It's better to run whosthere, iam and then whosthere again to check if the changes were made.

Also, do a net use and sniff the network traffic to verify the username and domain name you specified is sent over the network.

If you continue having this issues, please send me an email to hernan[[at]]gmail.com or move the discussion to the forums (www.hexale.org/forums) so we can continue analyzing the problem.

Thanks!,
Hernan

hernan said...

Hi Rajat,

Just tested with a fresh install of win xp sp2.

whosthere-alt and iam-alt work great.

whosthere and iam need specific addresses, send me your lsasrv.dll and I'll send you the addresses you need to use with the -A switch to make it work.

Rajat Swarup said...

I'm mailing you the copy of lsasrv.dll in question.

hernan said...

Hi Rajat.

The lsasrv.dll you sent me appears to be for a windows 2003 sp2 machine, not a windows xp sp2..

have you tried iam-alt and whosthere-alt? they should work..

Anyways, I've sent you via email the addresses you need.

Thanks!,
Hernan

Anonymous said...

Hernan,

MS patches have modified my lsasrv.dll so much that even your IDC script fails. The function names you are looking for are NOT in my dll. My dll version is 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305)

Have MS decided to move this function to another module ?

ANyway - I know you have a day job - but if you have time I can send u my lsasrv.dll ??

you do good work

thanks

deros68

hernan said...

yes, send me your DLL please.

Alluz said...

Hey, take a look of Pass the hash GUI, By Flacman at colombiaunderground.org

http://www.colombiaunderground.org/resources/PassTheHashGUI.rar

PD. I'm not a bot.

Rajat Swarup said...

Hi Hernan,
I tried using the iam.exe on the Windows XP sp3 system. I used the IDC script in IDA Pro to find the addresses to use with lsasrv.dll. The addresses came out to be 75753C20:7573FE43:757D0C98:757D0CA0:757CFC60:757CFE54 which is slightly different from what you say in the blog. But this did not result in an error.
The section where iam.exe looks for the LSASS_PID of LSASS.EXE gave a result of 0x0. The actual PID was 854. The error I got was "An error was encountered when trying to change the current logon credentials". Would you have an idea about what could be happening?

Usagi said...

If you are interested, against a French XPSP3, the correct adresses are :

whosthere -a 756D3BE0:756BFDF4:75750C98:75750CA0:7574FC60:7574FE54

Thanks Hernan !

0xacdc said...

Hi there, for those interested, Against a French xpsp3, the command would be:
whosthere -a 756D3BE0:756BFDF4:75750C98:75750CA0:7574FC60:7574FE54