Monday, December 17, 2007

Release uhooker v1.3

What's uhooker?:

A tool to intercept and manipulate execution of programs. It enables the user to insert hooks in function calls and arbitrary addresses within the executable file in memory. The hooks handlers are written in Python and can be changed at runtime without the need to restart the inspected process.


more info:

Some Videos:

What's new in uhooker v1.3?

-Several bug fixes, everything should work better than before :)

-Fixed bug with readunicode() API where reading empty multibyte strings,
resulted in the plugin freezing for ever.

-Now you can load multiple .CFG files (load one, then load another to hook
something else, etc). Previously, you were only allowed to load one .CFG file
with breakpoints/handlers definitions. Now you can load as many as you like
whenever you want.

-If a .CFG file overlaps previously set hooks, you have the chance
to redefine them (for example, you can dinamically change the
file/function handling the breakpoint. This adds to the feature
present since the first version of uhooker that allows runtime rewriting
of the handler's code).

-Errors in the code of the handlers (written in python) are now correctly handled.

-Previously, if you had an error in the code you wrote to handle
certain breakpoint, this caused the 'uhooker's python server' to
'crash', and you needed to restart your debugging session all over

This scenario was very common, particuarly if you were developing
your own handler/script for the first time, or if you were
modifying at runtime the code of a handler/script.

Well, no more! :), Now if you have an error (syntax error,
identation error, general programming error,etc), the error that
your handler has will be displayed on the uhooker's console, and
you'll be able to recover from that error. This improvement means:

1-If an error occurs on the code, you don't
need to restart the debugger's session (and lose
the state of the program, etc.).

2-If you are changing in runtime the code of the
handler, and you makee a mistake, you'll see what
caused the error, and you can fix the script/handler
and move on!.

-and there are probably more things but I didn't write them down and now I dont't remember :).

Wednesday, December 12, 2007

uhooker videos - video

A new video showing how to use the script, this is a sample script
that allows you to intercept and modify network traffic using an hex editor.

Embedded Video (only IE I think)

Direct Download

Tuesday, December 04, 2007

Uhooker Videos

Hi All!,

I'm uploading new scripts for uhooker and also new videos showing how these scripts are used, to help you get an idea of the purpose of the scripts.

I just uploaded a video showing how to use the Change Connect() script, you can find it here:

Embedded in browser:

Direct Download of .WMV file (if using firefox, you will probably
need to download this one):

Note: If anyone knows of a free program to do screencasts & convert screencasts
to .SWF files(flash), please let me know. I'm currently doing it using 'Windows
Media Encoder', and I couldn't find a decent program to convert .WMV
to Flash. Any suggestion is welcome.

Friday, November 30, 2007

New 'Change Connect()' uhooker script

I uploaded the following uhooker script:

Change Connect(): This script displays all calls to connect() and allows you to change the IP address:Port of the connection. This is useful for debugging, to redirect traffic to some other place instead of the original server, for example, you can redirect traffic to proxy_hooker and use the 'Visual Fuzzing :)' script to observe/modify traffic.

Available here:

Direct Download:

Thursday, November 29, 2007

New & Updated Uhooker scripts

I updated the uhooker scripts on the uhooker's web page ( some of them were pre-1.2 but did not work with uhooker v1.2 because of minor things, but anyways, now you can download them and they will work :).

I also 'improved' and added the following scripts:

Intercept Network Traffic With Hex Editor: These scripts will intercept sendto(), send() and recv() and for every packet received, an hex editor will be displayed. You can use the hex editor to change bytes of the packet, and then close it to pass the modified packet to the application. Is fuzzing with a GUI! :).

I'll try to create an screencast so you can get a visual idea of what these scripts do. I'm gonna start uploading some other scripts I think you may find useful.

And.. I've also changed the 'look and feel' of the uhooker's web site, mmm, if you think is bad now go to and prepare to be amazed!.

Monday, November 19, 2007

Anti-debugging Techniques

I just woke up and saw this article that caught my attention (yes, i have a problem, the first thing i read in the morning is not the newspaper but

Windows Anti-Debug Reference

by Nicolas Falliere

I haven't read it yet, but i'm a sucker for articles/papers with hex numbers and assembler source code :).

I'll read it later today and make a post if i can think of sthg worth saying about it :).

Saturday, November 17, 2007

WifiZoo working on the Nokia N800

Yes!, wifizoo works on the Nokia N800! this is very cool! you won't need to carry around your notebook on your next wireless assessment! :)

Thanks go to Matias Brutti, he's the proud owner of the N800 :) and he's the one that made it work. It is actually pretty straightforward, you only need to change a few lines of code.

For more info and photos, click here.

Wednesday, November 07, 2007

Simple script to automatically generate uhooker hooks

I've just uploaded a very simple script that can be used to automatically generate hooks for all the functions exported by a DLL to be used with uhooker.

So, let's say you want to intercept all the functions exported by kernel32.dll? well,
having to write by hand the .cfg file and the .py file with the handlers can be a daunting task :), it has hundreds of functions.

So, instead of doing that, just use like this: -f kernel32.dll -t b -c kernel32.cfg -p

-f: specifies the name of the DLL
-t: specifies the hook type. b = before, a = after, * = address (you would normally use b or a)
-c: OPTIONAL. specifies the name of the .cfg file. if it is not specified, the dllname_without_the_extesion.cfg will be used
-p: OPTIONAL. name of the .py file with the hooks for all the functions. if it is not specified the will be used.

And that's it. It's a very simple script that I coded 300 hundred times already, the only difference is that now I'm keeping a copy around :).

The script can be found here:

Direct download link:

Patching WifiZoo to support kismet dumps/pcap capture files

A user emailed me asking for a way to use kismet dumps/pcap capture files with WifiZoo, this is going to be included in the next version of WifiZoo, but you can patch/hack the current version to support kismet dumps/pcap capture files very easily:

Edit and change the following code:

print "Waiting..."

while 1:
  # mm, would be better to use callback perhaps. TODO
  p = sniff(filter=None, iface=conf.iface, count=1)
  pkt = p[0]


print "Waiting..."

#capture.pcap is the name of the capture file. Yes, it's hard-coded :)
pcapr = PcapReader('capture.pcap')

while 1:
  # mm, would be better to use callback perhaps. TODO
  #p = sniff(filter=None, iface=conf.iface, count=1)
  pkt =
  #pkt = p[0]

Is a quick hack, but it works.

Friday, November 02, 2007


I'm still here! hang on! soon I'll be releasing a new version of wifizoo, a new version of the pass-the-hash toolkit and also new stuff/scripts and probably a new version of the universal hooker too!


Tuesday, October 02, 2007

New version of WifiZoo v1.2

WifiZoo v1.2:

-Bug Fixes
-It now has a web GUI running on localhost:8000, it will hopefully make its use more 'convenient'
-And it also has an 'http proxy' ala ferret/hamster. You can display the captured cookies with the web gui, clicking on a cookie will set that cookie on the wifizoo proxy. Set your browser to use the proxy, and again, hopefully, that will do the trick.

Updated docs:

Direct download link:


Wednesday, September 19, 2007

WifiZoo and cards without Prism headers

If you card does not output PrismHeaders, chances are WifiZoo is going to break, sorry, didn't bother to check that one :). The good news is that I already modified the code to check if prism headers are available or not, and if they are not, the code now can handle that situtation and everything will work fine.
This 'fix' is going to be included in the next version, but if anyone wants the fix right now, please send me an email (hernan [at] and I'll send you the version that supports cards that do not output prism headers.

Tuesday, September 18, 2007

New version of wifizoo v1.1

I fixed some bugs, probably added some new ones, and new functionality is also in the new version of WifiZoo. Some of the new functionality is that wifizoo now keeps track of probe requests and can also graph what SSIDs are being 'probe requested' from what SRCs. I find it useful or at least interesting, hope you do to :).

You can get it here:

The direct download link is the following:

(if you click the last link, you miss the graph samples :))

Friday, September 07, 2007

WifiZoo - playing with 802.11

I've been playing around with wireless, heard about Ferret from Errata Security which although is nothing spectacular, I do believe is a fun/useful tool to have.
I also wanted a tool to leave unattended, hopping thru all 802.11 channels, go read a book, come back, and get some useful information from it. I also wanted to make graphs of stuff, because everybody loves graph, and I do too :). I really believe data representation is very important and changes everything.

So I basically reinvented the wheel, added some stuff to it, everything using python, and came up with WifiZoo.

You can check it out at You can find a detailed description of the tool in the previous link.

Again, is nothing spectacular, but is a fun tool to use on wireless penetration tests, it works, still lots of functionality needs to be added, but again, it gets the job done. For now, I take the tool as a fun exercise to spend time on from time to time :).

Wednesday, September 05, 2007

New Pass-The-Hash info web page

I just added some more info about Pass-The-Hash here:

It includes scenarios, workarounds, possible issues etc.
I'll be adding more info from time to time, so check it out periodically if you are interested in the tool.

Tuesday, September 04, 2007

Pass-The-Hash Toolkit v1.1 Released

I just released Pass-The-Hash Toolkit v1.1. This release has support for more targets, including german/french versions of Windows XP SP2, and also Windows Server 2003. I added a -B switch that tells IAM.EXE and WHOSTHERE.EXE to look for the necessary memory addresses in runtime using some 'heuristics', this should also make it work on more targets.

I expect people to continue having issues on some platforms because the things the tool does are dependant on certain memory areas that vary from OS version to OS version, so, if you have issues, please let me know, most of the time is very easy to add support for your platform to the tool.

The source code is available here.

The binaries are available here


-Improved support for windows xpsp2 german/french, windows 2003 sp1/sp2, both for
-Added to IAM.EXE and WHOSTHERE.EXE the -B switch. If IAM.EXE or WHOSTHERE.EXE is
not working in your configuration, please run the tools again specifying -B at the end.
The -B option will try to find, using 'heuristics', the addresses the tools need
to do what they do. If you are still having issues, please let me know, I expect people
to have issues because the addresses vary from OS version to OS version.

Note for Windows Server 2003 users:

-if you run IAM.EXE and it ends as expected, as If it had worked, but then you run
WHOSTHERE.EXE and the credentials did not change, do the following:

-start a cmd.exe using runas, for example:

runas /user:administrator cmd.exe

-and in the new console run IAM.EXE, and then WHOSTHERE.EXE to verify. And now
it should work.

It seems that sometimes you need a new session different than the interactive
session for LSASS.EXE to accept the modifications to the credentials in memory. If
you are logging to the machine remotely using psexec/Remote Desktop etc this does
not to occur (at least, this is what I observed), I had troubles like this when
logging interactively to the server. Also after you run 'runas', running IAM.EXE
in a regular CMD.EXE shell will start working. Don't take any of this as
a precise explanation of what's going on, this is just what I observed and a way
to work around it. I'll analyze what's really going on in the future..

Friday, August 24, 2007

Did you know?: tar files contain your username and group name?

Well, yes, that's right! take a look at the tar file format here, specifically at the 'USTAR format':

So at +265 you have the 'Owner user name' and at +297 'Owner group name'.
let's try it:

yes, 'hernan' , that's me, 'wheel', yes, that's the group name.
Now go to google and do some 'filetype:tar'/'filetype:tgz' etc. searches
and have fun!. :)

Friday, August 17, 2007

Pass-The-Hash Toolkit and LSASRV.DLL

One quick note: IAM.EXE reads at specific locations of LSASRV.DLL's address space to obtain data necessary to encrypt the credentials before changing them and other stuff. For that reason, IAM.EXE has specific code that checks for the LSASRV.DLL version present on the system where it is run, and if it does not match with the ones I know, the program exits.

The idea behind this is to avoid situations where you would run the tool in a system that doesn't have the correct LSASRV.DLL version most likely crashing the LSASS.EXE process and having to reboot your machine. not good :).

So, if you run IAM.EXE and get something like this:

Checking LSASRV.DLL....Unknown LSASRV.DLL.
LSASRV.DLL: 00050001h. A280884h

It means I don't know about your DLL version. Please send me an email with the version number you have and I'll do my best to get a hold of a copy of that exact DLL version to solve the issue. (when you are at it, also send me the text representation of the DLL version just in case , just rigth-click the DLL, properties->Version->File
Version, and also the language of your windows installation, etc.)

I'll try to come up with a generic solution for this, but since the tool is mostly intended to be run on your own machine and not to be used to compromise a machine or whatever, I didn't think it would matter much to make it generic. This should not be difficult to implement.

On the other hand, WHOSTHERE.EXE does not have such checks because it only reads memory, so when it fails, you only get invalid output; the worst thing that can happen is WHOSTHERE.EXE itself crashing.

Wednesday, August 15, 2007

Release of Pass-The-Hash Toolkit v1.0 for Windows

Ok, so today I'm releasing a tool whose origins go back to 2000, but here it is now, I hope you find it useful, interesting or at least amusing :), any feedback is welcome!!.

I'm releasing Pass-The-Hash Toolkit v1.0, you can find it here:

source code:


For those of you that do not want to read the detailed description :),
in a nutshell, it is pass-the-hash for windows (iam.exe), for example:

iam.exe administrator mydomain 0102030405060708090A0B0C0D0E0F10

After running the program, outbound network connections that use NTLM
authentication will use the new credentials. And a tool
(whosthere.exe) to list currently logged on users and their NTLM
credentials by reading LSASS.EXE's internal structures (see the 'long
description' for use cases).

And now the long description:

The Pass-The-Hash Toolkit contains utilities to manipulate the Windows
Logon Sessions mantained by the LSA (Local Security Authority)
component. These tools allow you to list the current logon sessions
with its corresponding NTLM credentials (e.g.: users remotely logged
in thru Remote Desktop/Terminal Services), and also change in runtime
the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH
on Windows!).

Utilities in the toolkit:

* IAM.EXE: Pass-The-Hash for Windows. This tool allows you to
change your current NTLM credentials withouth having the cleartext
password but the hashes of the password. The program receives a
username, domain name and the LM and NT hashes of the password; using
this it will change in memory the NTLM credentials associated with the
current windows logon session. After the program performs this
operation, all outbound network connections to services that use for
authentication the NTLM credentials of the currently logged on user
will utilize the credentials modified by IAM.EXE. This includes 'net
use', 'net view', many third-party DCOM services that use NTLM
authentication, etc. This is basically 'pass-the-hash' for windows;
one of the main advantages is that you don't need to use a modified
version of samba or samba-tng and be restricted to the limited
functionality they implement, you can now use windows and any
third-party software with stolen hashes withouth having to obtain the
cleartext version of a password. For more information take a look at
this paper I wrote back in 2000 Modifying Windows NT Logon Credentials

* WHOSTHERE.EXE: This tool will list the current logon sessions
with NTLM credentials (username,domain name, LM and NT hashes). Logon
sessions are created by windows services that log in using specific
users, remote desktop connections, etc. This tool has many uses, one
that i think is interesting: Let's say you compromised a Windows
Server that is part of a Windows Domain (e.g.: Backup server) but is
NOT the domain controller. Since it is not the domain controller, you
only have access to the local SAM and although you did effectively
comprise a sensitive server you did not compromise the domain.
However, it is very common in such situations to find that
administrators are using Remote Desktop to connect to the compromised
server to perform different tasks. So this is your chance, just wait
for the administrator to log into the compromised server using remote
desktop, at that point, run 'WHOSTHERE.EXE' and you will observe the
administrators username,domain name, and NTLM hashes. Now go to your
machine, use them with IAM.EXE and compromise the domain controller
using the administrator's credentials.

* GENHASH.EXE: This is a small utility that generates LM and NT
hashes using some 'undocumented' functions of the Windows API. This is
a small tool to aid testing of IAM.EXE.

Friday, July 27, 2007

Bind IIS to an IP address

Let's say you want IIS 5.0 not to bind to and want it to bind to a specific IP address. You can go to Administrative Tools->Internet Information Services, and then to "server name"->Web sites->Default Web site, right-click, properties, go to the 'Web Site' tab, and in 'Web Site Identification' put the IP address you want IIS to bind to or click the 'Advanced' button to select more than one IP.

And you are all set... well... you are not :). IIS implements something called 'Socket Pooling' and if you have this enabled it basically makes IIS bind to all available IP addresses. So even when you go to the GUI and change the IP you want IIS to bind to, IT DOESN'T WORK. In order to make it work, you need to disable 'Socket Pooling', and you can do so with the following command:

script adsutil.vbs set w3svc/disablesocketpooling true

I just thought this was amusing and decided to make a post :). Something similar occurs with IIS 6.0 but I have not tried it yet. You can get more information here:

IIS 5.0:

IIS Binds to All Available IP Addresses When It Starts

How to Disable Socket Pooling

IIS 6.0:

IIS 6.0: Setting Metabase Property DisableSocketPooling Has No Effect

Thursday, July 26, 2007

Gera releases HeapDraw / HeapTracer

Check out Gera's new tool!:

"HeapDraw was originally created as a postmortem analisys tool, to see how the heap evolved during the life of a process. The idea is that although we may be used to textual output, like that of ltrace or a malloc/free hooking library, it's much better to see it graphically (in fact I used to make drawings by hand until I realized "WTF am I doing? I have a computer to do it for me!").
HeapTracer is the new name, after it became a runtime analisys tool."

You can find it here.