tag:blogger.com,1999:blog-18555569.post8773212380320677147..comments2023-06-04T08:07:03.642-03:00Comments on HEXALE (security & reverse engineering): Release: Pass-The-Hash toolkit v1.3hernanhttp://www.blogger.com/profile/12754761735106237455noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-18555569.post-57207484174263233922009-08-26T08:21:54.946-03:002009-08-26T08:21:54.946-03:00I'm having troubles using iam-alt.exe. The who...I'm having troubles using iam-alt.exe. The whosthere-alt.exe is working fine, it gives me the correct hashes, I have double-checked them. If I use iam-alt.exe, something really strange happens. It sets the username and domain correctly, but not the LM hash and NTLM hashes. For example if the LM hash is 1234567890abcdef... than it sets 2040608000b0d0f0... I have also tried the IDC script with a fresh 5.4 IDA Pro demo, but I think the pdb part is doing something wrong. I can also see pdb(c:\windows\system32\lsasrv.dll): Class not registered. Is it normal or is it an error? I am using a Hungarian Windows XP SP2.<br /><br />Many ThanksZhttps://www.blogger.com/profile/12373001166765443215noreply@blogger.comtag:blogger.com,1999:blog-18555569.post-69201655454471635082008-03-17T08:12:00.000-03:002008-03-17T08:12:00.000-03:00if you run iam.exe/iam-alt.exe and then whosthere....if you run iam.exe/iam-alt.exe and then whosthere.exe/whosthere-alt.exe do you see the changes?<BR/>If you do, you're probably running the tool in the wrong interactive session, or something even more weird :). <BR/>What windows version are you using? is your box using NTLM auth or kerberos?<BR/>you don't have interactiv access to the machine you are running the tools on?<BR/><BR/>Thanks!,<BR/>Hernanhernanhttps://www.blogger.com/profile/12754761735106237455noreply@blogger.comtag:blogger.com,1999:blog-18555569.post-7658364929452115232008-03-14T19:12:00.000-02:002008-03-14T19:12:00.000-02:00so i got to playing with the psh1.3 toolkit.when i...so i got to playing with the psh1.3 toolkit.<BR/><BR/>when i run iam.exe and iam-alt.exe i get a credentials successfully passed but nothing "appears" to be changing. if i do a whoami, i get the local acct i logged in as, if i start a process it says its owned by the local acct i logged in as. i am doing all this thru psexec. is there a better way to do this? something else i should try?CGhttps://www.blogger.com/profile/11061967917509053185noreply@blogger.comtag:blogger.com,1999:blog-18555569.post-12575891756812040662008-03-04T09:58:00.000-02:002008-03-04T09:58:00.000-02:00mm, yes, there's a problem there, because lsasrv.d...mm, yes, there's a problem there, because lsasrv.dll has way more than 129 symbols. Did you ever loaded lsasrv.dll into ida before? have you ever imported a PDB for lsaasrv.dll before? I don't know, all I can think of is that there's an old PDB or 'incomplete' pdb or something that is messing things up. What IDA version are you using? 5.x?<BR/><BR/>If you ever can make it work, please let me know if you figured out the problem! :)<BR/><BR/>Thanks!hernanhttps://www.blogger.com/profile/12754761735106237455noreply@blogger.comtag:blogger.com,1999:blog-18555569.post-68217925541042193682008-03-03T23:31:00.000-02:002008-03-03T23:31:00.000-02:00I don't know why IDA isn't loading the correct sym...I don't know why IDA isn't loading the correct symbols, it says it is retrieving then loading '129' symbols. Doesn't matter though, now that I know what to look for I can get the from Ollydbg just as easy. I'm not in a in a hurry for more addresses since I found the addresses for the 2003sp2 version via olly. Addresses for 2000sp4 would be nice though, haven't been able to find those.<BR/><BR/>The terminal server thing might seem a little more black hat but that's certainly not my intent, I just noticed that it did not work under a ts session. Just a suggestion, I don't need that myself.<BR/><BR/>Nice work btw :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-18555569.post-87395594162160721112008-03-02T13:37:00.000-02:002008-03-02T13:37:00.000-02:00Ok,1-If the IDC script doesn't work, is that for s...Ok,<BR/><BR/>1-If the IDC script doesn't work, is that for some reason the right symbols are not being loaded into IDA Pro. The script does nothing more than looking for the symbols and printing those symbols for you in the format you need to have them to add to the source code. In the next release I'll add an option to specify the addresses of the symbols without having to recompile the apps. Some users have already reported me that the script didn't work for them, but in all instances I've seen the issue is that the right symbols are not loaded. These same users have made the script work after 'tweaking' the symbols loading process into loading the needed symbols. If you can't make IDA Pro do that, please send me an email, with the IDA Pro version you're using and I'll try to troubleshoot the problem with you. <BR/><BR/><BR/>2-About the addresses not being there, damn! I thought I had put those in there, sorry :) I'll check again. Anyways, send me an email, I can send you a working version very easily. Or just use iam-alt/whosthere-alt, I think they should work.<BR/><BR/>3-About terminal services, ok, I'll add the option to let you choose the logon session to change. I was not too concerned about that because you are supposed to be running iam.exe/iam-alt.exe from your own machine from the main 'console', never thought someone would actually use iam.exe/iam-alt.exe from a terminal service session. Anyways, its a good option to have, so I'll add that.<BR/><BR/>Keep it coming!. :)<BR/>Thanks!.hernanhttps://www.blogger.com/profile/12754761735106237455noreply@blogger.comtag:blogger.com,1999:blog-18555569.post-77762381401437292192008-03-02T02:37:00.000-02:002008-03-02T02:37:00.000-02:00strike my last. IDA is being a bitch but olly come...strike my last. IDA is being a bitch but olly comes through.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-18555569.post-92161225513406238492008-03-02T00:15:00.000-02:002008-03-02T00:15:00.000-02:00and I cannot get your IDA script to work, neither ...and I cannot get your IDA script to work, neither of those functions are found. I am loading the symbols and searching for addcredentials and addmemory by hand finds nothing also. any tips on what I'm missing?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-18555569.post-59172424303285491192008-03-01T22:09:00.000-02:002008-03-01T22:09:00.000-02:00unless I am missing something? 1.3 has the same th...unless I am missing something? 1.3 has the same three hardcoded addresses as 1.2<BR/><BR/>an option you might want to consider is letting the user specify which logon session to modify. this will let terminal service users enjoy modified credentials, the tool just has to be run as SYSTEM.Anonymousnoreply@blogger.com