Extract credentials directly from registry hives [tool release]

From: "Brendan Dolan-Gavitt" <mooyix@xxxxxxxxx>
Date: Wed, 20 Feb 2008 20:55:38 -0500

Hey pen testers,

Ever wanted to extract LSA secrets, dump cached domain hashes, or just
get the local LM and NT hashes from a Windows box without booting into
Windows? Or maybe you came by some registry hives but don't have
access to the original box they came from -- cachedump and lsadump2
won't work in this case. Or perhaps you just want to learn how the
obfuscation algorithms in Windows work without digging through
hard-to-read C.

To solve these problems, I announce CredDump:

http://code.google.com/p/creddump/

From the README:

---
creddump is a python tool to extract various credentials and secrets
from Windows registry hives. It currently extracts:

* LM and NT hashes (SYSKEY protected)
* Cached domain passwords
* LSA secrets

It essentially performs all the functions that bkhive/samdump2,
cachedump, and lsadump2 do, but in a platform-independent way.

It is also the first tool that does all of these things in an offline
way (actually, Cain & Abel does, but is not open source and is only
available on Windows).
---

I hope this will be of use to you all. Please let me know if you
discover any bugs!

Cheers,
Brendan

PS: For a slightly more detailed introduction to the tool, see:
http://moyix.blogspot.com/2008/02/creddump-extract-credentials-from.html

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Prev by Date: Urgent - Web Applications Auditing
Next by Date: Pentesting tool - Commercial
Previous by thread: Urgent - Web Applications Auditing
Next by thread: Pentesting tool - Commercial
Index(es):
- Date
- Thread

Relevant Pages

Re: Hijacking the hashes : multiple windows mail clients vulnerability
... this technique has been known and discussed ad nauseum for several years, ... Windows 2000 was kicked with a vulnerability that allowed ... >client tried to validate sending the hashes of the user... ... >simply send a html formatted mail message that includes this code: ...
(Vuln-Dev)
[TOOL] OPHCRACK with Windows and Linux GUI
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Ophcrack version 2.0 is a windows password cracker based on the faster ... * Dumps hashes from local and remote hashes, ... * Dumps hashes from encrypted SAM and config, provided you boot on a CD ...
(Securiteam)
Re: URGEN... unixe password Vs. windows NT password
... made hash lists, ist is quite faster than brute forcing unix passwords. ... Windows does not use salts, so there are fewer alternations to check, ... So you can brute force both halfs independently, ... > hashes, that are considerable more secure than the good old crypt. ...
(comp.security.unix)
New Windows tool - PWDumpX v1.0
... The PWDumpX v1.0 tool allows a user with administrative privileges to retrieve the encrypted password hashes and LSA secrets from a Windows system. ... If an input list of remote systems is supplied, PWDumpX will attempt to obtain the encrypted password hashes and the LSA secrets from each remote Windows system in a multi-threaded fashion. ...
(Pen-Test)
Re: cracking kerberos password
... Windows never sends the hashes over the network--instead, they're used the computation of challenge-response pairs. ... To get the hashes directly you break into the authentication server on the network--typically the domain controller. ... Remember, though, that Kerberos uses NT hashes. ... Abandon "complex" passwords in favor of long passphrases. ...
(microsoft.public.win2000.security)