The hashdump.py code used by pwdump.py yields corrupted hashes when extracting
windows LM and NTLM hashes are extracted from SAM/SYSTEM files.
What steps will reproduce the problem?
1. A user who is not storing an LM hash
2. A system which has password histories enabled
What is the expected output? What do you see instead?
The expected output is the correct NT hash for the user. However, an LM and
NTLM hash are presented to the user. Neither of these hashes are correct and
will not crack.
What version of the product are you using? On what operating system?
Creddump2.0 on Windows XP <=> Windows 8 Pre-Release. Windows 2000 is also
expected to yield the same, but has not been tested yet.
Please provide any additional information below.
I've attached two files to this submission, one is a patch diff for a fix we've
developed for the hashdump.py script and the other is the actual patched file.
This issue along with other extraction tools that are affected in a similar way
will be discussed at BlackHat USA 2012 and DEFCON 20 in 2 weeks.
If you have questions, please let us know.
-Jonathan Claudius (@claudijd)
-Ryan Reynolds (@reynoldsrb)
Original issue reported on code.google.com by jonathan...@gmail.com on 8 Jul 2012 at 8:00
Original issue reported on code.google.com by
jonathan...@gmail.com
on 8 Jul 2012 at 8:00Attachments: