While on a penetration test it is sometimes necessary to pull hash files from windows systems to crack weak passwords. You could easily do this with a Metasploit meterpreter session, but sometimes I like to do it without exploiting the box. Also doing it remotely over the network without a user’s knowledge is always a big plus. This method isn’t always usable and available, but in the right situation we can use an NMAP script called pw-dump.nse to do this. The downside is that it requires an account on the box, and right now it needs to be a Windows Server 2000 or Server 2003 OS to be able to pull the local accounts.
First, we obviously need NMAP installed. For this tutorial I’ll be using Backtrack4-R1, which currently has NMAP 5.35DC1 installed. If you look in the directory /usr/share/nmap/scripts you’ll see all sorts of scripts that do some really helpful things on a test.
What we’re going to use is the one called smb-pwdump.nse. If you don’t have that script you’ll need to download it and put it into the scripts directory. The only place I could find the script was in a slightly older version of NMAP, version 5.00.
The next thing you’ll need is the pwdump executable and dll files. Those you can get from here:
wget http://swamp.foofus.net/fizzgig/pwdump/pwdump6-1.7.2-exe-only.tar.bz2
Just extract those into this directory: /usr/share/nmap/nselib/data
Create the directory if the need be. Once you have the script and the executable/dll’s you’re ready to go. To use the script, use the following options changing to match your credentials and target…
# nmap -p 135,139,445 –script=smb-pwdump.nse –script-args=smbuser=administrator,smbpass=lamepassword 192.168.0.190
The output will look similar to this…
The hashes are dumped out in lm:ntlm form and are ready to be cracked in a tool like ophcrack, which I’ll cover in a later post. Remember, this information is only intended for use on systems you own or have permission to use it on.
Information gathered from http://seclists.org/nmap-dev/2009/q1/22
