Dump hashes from SAM files remotely with NMAP and pwdump

While on a penetration test it is sometimes necessary to pull hash files from windows systems to crack weak passwords.  You could easily do this with a Metasploit meterpreter session, but sometimes I like to do it without exploiting the box.  Also doing it remotely over the network without a user’s knowledge is always a big plus.  This method isn’t always usable and available, but in the right situation we can use an NMAP script called pw-dump.nse to do this.  The downside is that it requires an account on the box, and right now it needs to be a Windows Server 2000 or Server 2003 OS to be able to pull the local accounts.

First, we obviously need NMAP installed.  For this tutorial I’ll be using Backtrack4-R1, which currently has NMAP 5.35DC1 installed.  If you look in the directory /usr/share/nmap/scripts you’ll see all sorts of scripts that do some really helpful things on a test.

What we’re going to use is the one called smb-pwdump.nse.  If you don’t have that script you’ll need to download it and put it into the scripts directory.  The only place I could find the script was in a slightly older version of NMAP, version 5.00.

The next thing you’ll need is the pwdump executable and dll files.  Those you can get from here:

wget http://swamp.foofus.net/fizzgig/pwdump/pwdump6-1.7.2-exe-only.tar.bz2

Just extract those into this directory:  /usr/share/nmap/nselib/data

Create the directory if the need be.  Once you have the script and the executable/dll’s you’re ready to go.  To use the script, use the following options changing to match your credentials and target…

# nmap -p 135,139,445 –script=smb-pwdump.nse –script-args=smbuser=administrator,smbpass=lamepassword

The output will look similar to this…

The hashes are dumped out in lm:ntlm form and are ready to be cracked in a tool like ophcrack, which I’ll cover in a later post.  Remember, this information is only intended for use on systems you own or have permission to use it on.

Information gathered from http://seclists.org/nmap-dev/2009/q1/22

Related Posts Plugin for WordPress, Blogger...