New version of pwdump, and announcing fgdump!

From: fizzgig@securityfocus.com
Date: Thu Dec 22 2005 - 15:00:30 EST


('binary' encoding is not supported, stored as-is) Because we at Foofus networks are generous folks, we've decided to release a number of open source tools just in time for Christmas, which we hope some of you folks will find useful. This particular announcement covers the two that I have been responsible for developing: pwdump6 and fgdump.

PWDump6 (http://www.foofus.net/fizzgig/pwdump)

Based on the wildly popular pwdump3e, it's been updated and modernized a bit to suit our needs, and has been useful to other folks in the security assessment community as well. It runs very much in a similar fashion as 3e, but has the following changes:

- Locates any available, writable share, not just ADMIN$
- Replaces the remote registry method of remote communication with a named pipe method
- Eliminates dependency on the CryptoAPI, which appeared to cause certain problems for us in rare circumstances
- Marks itself as executable when writing to the LSASS process, thereby avoiding some NX problems

If you've had trouble with pwdump crashing some boxen, give pwdump6 a try.

fgdump (http://www.foofus.net/fizzgig/fgdump)

fgdump really started as a simple wrapper around pwdump. Certain AV programs reacted poorly to pwdump; the worst cases resulted in an AV solution consuming 100% of the CPU, requiring a reboot typically. So initially, fgdump simply shut down AV before running pwdump, but now it does much more. Major features include:

- Support for multiple hosts using text files
- Automatic binding/unbinding to IPC$
- Detection, automatic shutdown and restart of a number of common AV solutions
- Password dumping using pwdump6
- Cached credential dumping using cachedump
- Ability to write results to a log, including summaries

We are using fgdump quite a lot in our assessments, and it is continuing to evolve. Next up will be the ability to dump LSA secrets, for example. If you tend to forget to stop AV or are looking for a more robust password dumping solution, I highly recommend looking at fgdump.

Both tools are GPL licensed and such. I welcome any comments, feedback or feature suggestions, as long as they are constructive of course (send to fizzgig -AT- foofus -DOT- net, unmangled appropriately).

Merry Christmas/Happy Holidays!

--fizzgig

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:17 EDT