Pass-The-Hash Toolkit v1.3 released
The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes
What’s new in this release :
- PASSTHEHASH.IDC: This .IDC IDA Pro script can be used to obtain the addresses iam and whosthere need to obtain/modify logon session credentials. Load LSASRV.DLL into IDA Pro (make sure to import the symbols) and run the script to get the addresses you need to add to the source code to add support for the LSASRV.DLL version you have, in case it is not supported yet. If you use the script, please send me the addresses so I can include them in the next version of the toolkit.
- IAM-ALT and WHOSTHERE-ALT: two new tools written from scratch that do the same thing that IAM and WHOSTHERE do but using a slightly different technique, aiming at making the tool work on more systems without requiring users to modify the source code of iam/whosthere (or wait for the next version:)). The good thing about this ’alt’ version of the iam/whosthere tools is that they SHOULD work on more windows versions without modifications. The ’bad’ thing is that both tools need to execute code inside lsass.exe. The tools basically use the functions MSV1_0.DLL!NlpDeletePrimaryCredential,MSV1_0.DLL!NlpAddPrimaryCredential, and MSV1_0.DLL!NlpGetPrimaryCredential; these are the functions gsecdump uses (if I’m not mistaken).
The current heuristics used to find the functions inside MSV1_0.DLL is horrible but it works. hosthere uses a method tha allows it to obtain credentials just by reading memory, without executing any code. iam does not, but just because I’m lazy, it will do it eventually, the downside to this approach is that although it does use heuristics to verify hardcoded addresses, it does have hardcoded addresses anyways.And that’s why to help solve this issue but at the same time maintain the possiblity of obtaining credentials without executing code inside lsass.exe, I created the passthehash.idc script. If you don’t care about executing code inside lsass.exe, use whosthere-alt.
- iam/whosthere: Added support for more windows versions. including different languages.
- iam/iam-alt: new syntax. now you have to use -h to specify the credentials.
- whosthere/whosthere-alt: new -o switch to dump credentials to a file
- whosthere/whosthere-alt: new -i switch that will make whosthere/whosthere-alt display current logon credentials found in memory and then wait forever for new logon sessions and display only those new sessions. you can use this switch together with the -o switch to dump credentials found to a file. Now you can leave the tool running and it will log all unique interactive logon sessions created, it makes easier the job of waiting for the administrator to log into the compromised machine where whosthere/whosthere-alt is running. Thanks to heathengod for the idea of this feature.
- several bugfixes and stuff