Wednesday, October 21, 2009

List of Addresses for the Pass-the-Hash toolkit -a switch

Many people contact me frequently asking for the correct addresses to use with the -a switch of whosthere.exe and iam.exe for different versions of Windows, languages, etc.

Although I will continue answering these questions, I have put together a list of addresses for different versions of lsasrv.dll to make the process a little bit easier both for me and for you.

The list currently contains a low amount of addresses but It will grow eventually, your contributions are very welcome but please send me your lsasrv.dll along with the addresses because I need to verify the addresses are correct.

The file containing the list of addresses is very simple:

'sha1' is the sha1 hash of the lsasrv.dll. This is used to identify different versions of the DLL

'File version' and 'Language' are the version and language of lsasrv.dll

'addresses' are the addresses to use with the -a switch

So, basically, if you have a version of windows where whosthere.exe and iam.exe are not working, first try iam-alt.exe and whosthere-alt.exe, if that doesn't work or if you want to specifically use whosthere.exe and iam.exe calculate the sha1 hash of your lsasrv.dll file (located in c:\windows\system32\lsasrv.dll) and look it up in the list of addresses.

If you can't find it there, just email me your lsasrv.dll. I'll answer with the correct addresses and will add them to the list.

You can find the list of addresses here:

No comments: