Friday, August 24, 2007

Did you know?: tar files contain your username and group name?

Well, yes, that's right! take a look at the tar file format here, specifically at the 'USTAR format':

So at +265 you have the 'Owner user name' and at +297 'Owner group name'.
let's try it:

yes, 'hernan' , that's me, 'wheel', yes, that's the group name.
Now go to google and do some 'filetype:tar'/'filetype:tgz' etc. searches
and have fun!. :)

Friday, August 17, 2007

Pass-The-Hash Toolkit and LSASRV.DLL

One quick note: IAM.EXE reads at specific locations of LSASRV.DLL's address space to obtain data necessary to encrypt the credentials before changing them and other stuff. For that reason, IAM.EXE has specific code that checks for the LSASRV.DLL version present on the system where it is run, and if it does not match with the ones I know, the program exits.

The idea behind this is to avoid situations where you would run the tool in a system that doesn't have the correct LSASRV.DLL version most likely crashing the LSASS.EXE process and having to reboot your machine. not good :).

So, if you run IAM.EXE and get something like this:

Checking LSASRV.DLL....Unknown LSASRV.DLL.
LSASRV.DLL: 00050001h. A280884h

It means I don't know about your DLL version. Please send me an email with the version number you have and I'll do my best to get a hold of a copy of that exact DLL version to solve the issue. (when you are at it, also send me the text representation of the DLL version just in case , just rigth-click the DLL, properties->Version->File
Version, and also the language of your windows installation, etc.)

I'll try to come up with a generic solution for this, but since the tool is mostly intended to be run on your own machine and not to be used to compromise a machine or whatever, I didn't think it would matter much to make it generic. This should not be difficult to implement.

On the other hand, WHOSTHERE.EXE does not have such checks because it only reads memory, so when it fails, you only get invalid output; the worst thing that can happen is WHOSTHERE.EXE itself crashing.

Wednesday, August 15, 2007

Release of Pass-The-Hash Toolkit v1.0 for Windows

Ok, so today I'm releasing a tool whose origins go back to 2000, but here it is now, I hope you find it useful, interesting or at least amusing :), any feedback is welcome!!.

I'm releasing Pass-The-Hash Toolkit v1.0, you can find it here:

source code:


For those of you that do not want to read the detailed description :),
in a nutshell, it is pass-the-hash for windows (iam.exe), for example:

iam.exe administrator mydomain 0102030405060708090A0B0C0D0E0F10

After running the program, outbound network connections that use NTLM
authentication will use the new credentials. And a tool
(whosthere.exe) to list currently logged on users and their NTLM
credentials by reading LSASS.EXE's internal structures (see the 'long
description' for use cases).

And now the long description:

The Pass-The-Hash Toolkit contains utilities to manipulate the Windows
Logon Sessions mantained by the LSA (Local Security Authority)
component. These tools allow you to list the current logon sessions
with its corresponding NTLM credentials (e.g.: users remotely logged
in thru Remote Desktop/Terminal Services), and also change in runtime
the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH
on Windows!).

Utilities in the toolkit:

* IAM.EXE: Pass-The-Hash for Windows. This tool allows you to
change your current NTLM credentials withouth having the cleartext
password but the hashes of the password. The program receives a
username, domain name and the LM and NT hashes of the password; using
this it will change in memory the NTLM credentials associated with the
current windows logon session. After the program performs this
operation, all outbound network connections to services that use for
authentication the NTLM credentials of the currently logged on user
will utilize the credentials modified by IAM.EXE. This includes 'net
use', 'net view', many third-party DCOM services that use NTLM
authentication, etc. This is basically 'pass-the-hash' for windows;
one of the main advantages is that you don't need to use a modified
version of samba or samba-tng and be restricted to the limited
functionality they implement, you can now use windows and any
third-party software with stolen hashes withouth having to obtain the
cleartext version of a password. For more information take a look at
this paper I wrote back in 2000 Modifying Windows NT Logon Credentials

* WHOSTHERE.EXE: This tool will list the current logon sessions
with NTLM credentials (username,domain name, LM and NT hashes). Logon
sessions are created by windows services that log in using specific
users, remote desktop connections, etc. This tool has many uses, one
that i think is interesting: Let's say you compromised a Windows
Server that is part of a Windows Domain (e.g.: Backup server) but is
NOT the domain controller. Since it is not the domain controller, you
only have access to the local SAM and although you did effectively
comprise a sensitive server you did not compromise the domain.
However, it is very common in such situations to find that
administrators are using Remote Desktop to connect to the compromised
server to perform different tasks. So this is your chance, just wait
for the administrator to log into the compromised server using remote
desktop, at that point, run 'WHOSTHERE.EXE' and you will observe the
administrators username,domain name, and NTLM hashes. Now go to your
machine, use them with IAM.EXE and compromise the domain controller
using the administrator's credentials.

* GENHASH.EXE: This is a small utility that generates LM and NT
hashes using some 'undocumented' functions of the Windows API. This is
a small tool to aid testing of IAM.EXE.