tag:blogger.com,1999:blog-18555569.post6928197156584132444..comments2023-06-04T08:07:03.642-03:00Comments on HEXALE (security & reverse engineering): Release of Pass-The-Hash Toolkit v1.4hernanhttp://www.blogger.com/profile/12754761735106237455noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-18555569.post-86817550480937297342013-09-25T11:17:01.165-03:002013-09-25T11:17:01.165-03:00This comment has been removed by a blog administrator.Eworks Professionalhttps://www.blogger.com/profile/16231323310094647955noreply@blogger.comtag:blogger.com,1999:blog-18555569.post-64968141727460311362008-09-01T09:49:00.000-03:002008-09-01T09:49:00.000-03:00Hi casey!,1-If the IDC script is not picking up th...Hi casey!,<BR/><BR/>1-If the IDC script is not picking up the addresses is probably because IDA did not download or locate the right symbols. Try using symchk to download the PDB yourself and have IDA use that .PDB file. Check out http://msdn.microsoft.com/en-us/library/cc267474.aspx to learn about symchk if you don't already know how to use it.<BR/><BR/>2-whosthere-alt is probably, as you noticed, not gonna work on windows vista at the moment. Try using whosthere.exe instead; although currently whosthere supports only certain versions of windows vista. However, if you send me your lsasrv.dll (from your Windows Vista installation) I can send you a working version of the tool for that version.hernanhttps://www.blogger.com/profile/12754761735106237455noreply@blogger.comtag:blogger.com,1999:blog-18555569.post-72852217925546749852008-08-28T16:01:00.000-03:002008-08-28T16:01:00.000-03:00First off, excellent toolkit and thanks for your c...First off, excellent toolkit and thanks for your continued work on it! I have downloaded the latest version (1.4) and whosthere-alt.exe always works very well for me. However, I am having issues wiht Vista and get this return:<BR/><BR/>WHOSTHERE-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies<BR/>This tool lists the active LSA logon sessions with NTLM credentials.<BR/>use -h for help.<BR/>the output format is: username:domain:lmhash:nthash<BR/><BR/>Error in InjectDllAndCallFunctionError in InjectDllAndCallFunctionError in InjectDllAndCallFunctionError in InjectDllAndCallFunctionError in InjectDllAndCallFunctionError in InjectDllAndCallFunctionError in InjectDllAndCallFunctionError in InjectDllAndCallFunctionError in InjectDllAndCallFunctionError in InjectDllAndCallFunctionError in InjectDllAndCallFunctionError in InjectDllAndCallFunction<BR/><BR/>So, as you suggest, I load the LSASRV.dll into an IDA Pro demo version. (Please keep in mind I know almost nothing about reversing) I load the symbols and run the passthehash.idc script but seem to always get the following:<BR/><BR/>Compiling file 'C:\ToolKit\PSH1.4\passthehash.idc'...<BR/>Executing function 'main'...<BR/>?g_Feedback@@3_KA, addr = ffffffff<BR/>?g_pDESXKey@@3PAU_desxtable@@A, addr = ffffffff<BR/>?LogonSessionCount@@3KA, addr = ffffffff<BR/>?LogonSessionListCount@@3KA, addr = ffffffff<BR/>?LogonSessionList@@3U_LIST_ENTRY@@A, addr = ffffffff<BR/>Usually found in server 2003:<BR/>?LogonSessionList@@3PAU_LIST_ENTRY@@A, addr = ffffffff<BR/>#define _[OSDLLVER]_ADDCREDENTIAL_[LANGUAGE] (PBYTE)0x0<BR/>#define _[OSDLLVER]_ENCRYPTMEMORY_[LANGUAGE] (PBYTE)0x0<BR/>#define _[OSDLLVER]_FEEDBACK_ADDR_[LANGUAGE] (PBYTE)0xFFFFFFFF<BR/>#define _[OSDLLVER]_DESKEY_PTR_ADDR_[LANGUAGE] (PBYTE)0xFFFFFFFF<BR/><BR/>I would assume I am missing something. Any help would be greatly appreciated.<BR/><BR/>BTW - The Vista LSASRV.dll version I am running against is 6.0.6001.18000<BR/><BR/>Thanks again!<BR/><BR/>- CaseyAnonymousnoreply@blogger.com