New version of Pass-The-Hash Toolkit v1.1
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: New version of Pass-The-Hash Toolkit v1.1
- From: "Hernan Ochoa" <hernan@xxxxxxxxx>
- Date: Tue, 4 Sep 2007 14:30:02 -0300
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=T41tztzhhOk19hY3EKlKW+b31mH5zkNOLW1t023prSN5YwBROStJvywtqVFcKMTw81ak5TWYLFGilCgIO4BxP87CdPIxjWzcuvP6sP01qHmuBf1b/4Ss0vi5pT+f+NlBuoCrJHrS6lGQ+WNlgWYxRGg9J1Agf3beUtINzrtxaGg=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=U0rJGlLX8jxtIsaQpZbXVK610R4WBoY/aAHbUwlbPHiZE0MSZ0s6HnHF/Yv/YO9QNn3oamrTKwAaJSm2SEVmPDHpm+oKTY65J6vQoKwFMa8QnHyfktV4FyL8vbi+xhj91Y3g/9dyrGdUKlMfOpZ4jbP8AKem/SNpDHg1RCrQzFw=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Hi!,
Pass-The-Hash Toolkit v1.1 is available here:
Source:
http://oss.coresecurity.com/pshtoolkit/release/1.1/pshtoolkit_src_v1.1.tgz
Binaries:
http://oss.coresecurity.com/pshtoolkit/release/1.1/pshtoolkit_v1.1.tgz
This version basically works best with German/French versions of WinXPSP2, and
also with Windows Server 2003. If you had problems with any of these
with the previous
version, please try this one. Now, there's basically a -B switch that
tries to find the necessary addresses in runtime, and a bigger
database of possible addresses.
If you have issues, PLEASE let me know!. and thanks to all the people
that sent emails and gave me the necessary feedback to come up with a
solution to their pshtoolkit-related problems :).
WHATSNEW.What's new?:
-Improved support for windows xpsp2 german/french, windows 2003
sp1/sp2, both for
IAM.EXE and WHOSTHERE.EXE
-Added to IAM.EXE and WHOSTHERE.EXE the -B switch. If IAM.EXE or
WHOSTHERE.EXE is
not working in your configuration, please run the tools again
specifying -B at the end.
The -B option will try to find, using 'heuristics', the addresses the tools need
to do what they do. If you are still having issues, please let me
know, I expect people
to have issues because the addresses vary from OS version to OS version.
Note for Windows Server 2003 users:
-if you run IAM.EXE and it ends as expected, as If it had worked, but
then you run
WHOSTHERE.EXE and the credentials did not change, do the following:
-start a cmd.exe using runas, for example:
runas /user:administrator cmd.exe
-and in the new console run IAM.EXE, and then WHOSTHERE.EXE to verify. And now
it should work.
It seems that sometimes you need a new session different than the interactive
session for LSASS.EXE to accept the modifications to the credentials
in memory. If
you are logging to the machine remotely using psexec/Remote Desktop
etc this does
not to occur (at least, this is what I observed), I had troubles like this when
logging interactively to the server. Also after you run 'runas', running IAM.EXE
in a regular CMD.EXE shell will start working. Don't take any of this as
a precise explanation of what's going on, this is just what I observed and a way
to work around it. I'll analyze what's really going on in the future..