Bug Fix to "Stamp Out" LM and NTLM Hash Corruption in Hashdump.py Code

[GoogleCodeExporter]

The hashdump.py code used by pwdump.py yields corrupted hashes when extracting 
windows LM and NTLM hashes are extracted from SAM/SYSTEM files.

What steps will reproduce the problem?

1. A user who is not storing an LM hash
2. A system which has password histories enabled

What is the expected output? What do you see instead?

The expected output is the correct NT hash for the user.  However, an LM and 
NTLM hash are presented to the user.  Neither of these hashes are correct and 
will not crack.

What version of the product are you using? On what operating system?

Creddump2.0 on Windows XP <=> Windows 8 Pre-Release.  Windows 2000 is also 
expected to yield the same, but has not been tested yet.

Please provide any additional information below.

I've attached two files to this submission, one is a patch diff for a fix we've 
developed for the hashdump.py script and the other is the actual patched file.

This issue along with other extraction tools that are affected in a similar way 
will be discussed at BlackHat USA 2012 and DEFCON 20 in 2 weeks.

If you have questions, please let us know.

-Jonathan Claudius (@claudijd)
-Ryan Reynolds (@reynoldsrb)

Original issue reported on code.google.com by jonathan...@gmail.com on 8 Jul 2012 at 8:00

Attachments:

• hashdump.patch
• hashdump.py

[GoogleCodeExporter]

Thanks for the patch! I've included it and uploaded a new version to the 
downloads area.

Original comment by moo...@gmail.com on 1 Aug 2012 at 2:55

• Changed state: Fixed