tag:blogger.com,1999:blog-18555569.post7185300500572263251..comments2023-06-04T08:07:03.642-03:00Comments on HEXALE (security & reverse engineering): fix for whosthere/iam under XP SP3 with latest updates (May 2009)hernanhttp://www.blogger.com/profile/12754761735106237455noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-18555569.post-36127859471668040342009-10-07T08:40:55.778-03:002009-10-07T08:40:55.778-03:00Hi there, for those interested, Against a French x...Hi there, for those interested, Against a French xpsp3, the command would be:<br /> whosthere -a 75<a rel="nofollow">6D</a>3BE0:75<a rel="nofollow">6B</a>FDF4:75<a rel="nofollow">75</a>0C98:75<a rel="nofollow">75</a>0CA0:75<a rel="nofollow">74</a>FC60:75<a rel="nofollow">74</a>FE540xacdcnoreply@blogger.comtag:blogger.com,1999:blog-18555569.post-55424185838299946352009-10-06T14:29:34.531-03:002009-10-06T14:29:34.531-03:00If you are interested, against a French XPSP3, the...If you are interested, against a <b>French</b> XPSP3, the correct adresses are :<br /><br />whosthere -a 75<b>6D</b>3BE0:75<b>6B</b>FDF4:75<b>75</b>0C98:75<b>75</b>0CA0:75<b>74</b>FC60:75<b>74</b>FE54<br /><br />Thanks Hernan !0xacdchttps://www.blogger.com/profile/02740805373582191461noreply@blogger.comtag:blogger.com,1999:blog-18555569.post-57853428820077402222009-09-11T01:57:43.603-03:002009-09-11T01:57:43.603-03:00Hi Hernan,
I tried using the iam.exe on the Window...Hi Hernan,<br />I tried using the iam.exe on the Windows XP sp3 system. I used the IDC script in IDA Pro to find the addresses to use with lsasrv.dll. The addresses came out to be 75753C20:7573FE43:757D0C98:757D0CA0:757CFC60:757CFE54 which is slightly different from what you say in the blog. But this did not result in an error. <br />The section where iam.exe looks for the LSASS_PID of LSASS.EXE gave a result of 0x0. The actual PID was 854. The error I got was "An error was encountered when trying to change the current logon credentials". Would you have an idea about what could be happening?Rajat Swaruphttps://www.blogger.com/profile/01630662181660643711noreply@blogger.comtag:blogger.com,1999:blog-18555569.post-92110925865609628452009-09-09T02:29:08.893-03:002009-09-09T02:29:08.893-03:00Hey, take a look of Pass the hash GUI, By Flacman ...Hey, take a look of Pass the hash GUI, By Flacman at colombiaunderground.org <br /><br />http://www.colombiaunderground.org/resources/PassTheHashGUI.rar<br /><br />PD. I'm not a bot.Unknownhttps://www.blogger.com/profile/08488731538223523402noreply@blogger.comtag:blogger.com,1999:blog-18555569.post-73079782815584171942009-09-07T17:40:21.184-03:002009-09-07T17:40:21.184-03:00yes, send me your DLL please.yes, send me your DLL please.hernanhttps://www.blogger.com/profile/12754761735106237455noreply@blogger.comtag:blogger.com,1999:blog-18555569.post-42974856423437905522009-09-03T14:38:16.794-03:002009-09-03T14:38:16.794-03:00Hernan,
MS patches have modified my lsasrv.dll so...Hernan,<br /><br />MS patches have modified my lsasrv.dll so much that even your IDC script fails. The function names you are looking for are NOT in my dll. My dll version is 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305)<br /><br />Have MS decided to move this function to another module ?<br /><br />ANyway - I know you have a day job - but if you have time I can send u my lsasrv.dll ??<br /><br />you do good work<br /><br />thanks<br /><br />deros68Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-18555569.post-26955020487951586702009-07-30T20:51:41.725-03:002009-07-30T20:51:41.725-03:00Hi Rajat.
The lsasrv.dll you sent me appears to b...Hi Rajat.<br /><br />The lsasrv.dll you sent me appears to be for a windows 2003 sp2 machine, not a windows xp sp2..<br /><br />have you tried iam-alt and whosthere-alt? they should work..<br /><br />Anyways, I've sent you via email the addresses you need.<br /><br />Thanks!,<br />Hernanhernanhttps://www.blogger.com/profile/12754761735106237455noreply@blogger.comtag:blogger.com,1999:blog-18555569.post-38024509546194485112009-07-30T12:55:20.528-03:002009-07-30T12:55:20.528-03:00I'm mailing you the copy of lsasrv.dll in ques...I'm mailing you the copy of lsasrv.dll in question.Rajat Swaruphttps://www.blogger.com/profile/01630662181660643711noreply@blogger.comtag:blogger.com,1999:blog-18555569.post-10722666531077711942009-07-27T21:28:45.505-03:002009-07-27T21:28:45.505-03:00Hi Rajat,
Just tested with a fresh install of win...Hi Rajat,<br /><br />Just tested with a fresh install of win xp sp2.<br /><br />whosthere-alt and iam-alt work great.<br /><br />whosthere and iam need specific addresses, send me your lsasrv.dll and I'll send you the addresses you need to use with the -A switch to make it work.hernanhttps://www.blogger.com/profile/12754761735106237455noreply@blogger.comtag:blogger.com,1999:blog-18555569.post-17698248998775873552009-07-27T12:31:21.332-03:002009-07-27T12:31:21.332-03:00Hi Rajat!,
I have no idea what's going on, ne...Hi Rajat!,<br /><br />I have no idea what's going on, need to test with an XP SP2.<br /><br />If whosthere is working, iam should work too. If you say that iam was able to get all the needed addresses, then there's little that can fail from there.<br /><br />Remember that all tools need to be run as an administrator.<br /><br />However, doing a 'net use' alone is not a good way to test if iam worked or not.<br /><br />It's better to run whosthere, iam and then whosthere again to check if the changes were made.<br /><br />Also, do a net use and sniff the network traffic to verify the username and domain name you specified is sent over the network.<br /><br />If you continue having this issues, please send me an email to hernan[[at]]gmail.com or move the discussion to the forums (www.hexale.org/forums) so we can continue analyzing the problem.<br /><br />Thanks!,<br />Hernanhernanhttps://www.blogger.com/profile/12754761735106237455noreply@blogger.comtag:blogger.com,1999:blog-18555569.post-50337456299929177252009-07-27T00:41:15.754-03:002009-07-27T00:41:15.754-03:00I had issues in getting iam.exe to work. I tried ...I had issues in getting iam.exe to work. I tried the whosthere.exe with a local administrator and that seemed to work. But when I ran iam.exe I got something like an Unknown error or something like that. It was able to find the DLL addresses because that portion did not error out. The target was a Win XP SP2 US-English inside a VM. After running iam.exe when I did a net use * \\system_ip\C$, I kept getting Incorrect password and it would take me back to the password prompt. Do you know what could be happening? I was using the latest pshtoolkit.Rajat Swaruphttps://www.blogger.com/profile/01630662181660643711noreply@blogger.com