What is pwdump2?

This is an application which dumps the password hashes (OWFs) from NT's SAM database, whether or not SYSKEY is enabled on the system. NT Administrators can now enjoy the additional protection of SYSKEY, while still being able to check for weak users' passwords. The output follows the same format as the original pwdump (by Jeremy Allison), and can be used as input to l0phtcrack, or used with Samba. You need the SeDebugPrivilege for it to work. By default, only Administrators have this right, so this program does not compromise NT security. A good discussion of the issues surrounding NT's password hashes can be found here

How do I use it?

First, of course, back your system up, and try it on a test machine. Take both the pwdump2.exe and samdump.dll files and place them together in a directory on your NT box's local file system. Determine the process id of lsass.exe. (You can do this with Task Manager.). Now, assuming the pid is, e.g. 43, run:

[c:\pwdump2] pwdump2 43

and the contents of the SAM will be written to the console. To capture the output in a file, run, e.g. "pwdump2 43 > passwd.txt".

How does it work?

It uses a technique known as DLL injection. In general, one process (pwdump2.exe) forces another process (lsass.exe) to load a DLL (samdump.dll) and execute some code from the DLL in the other process's (lsass.exe's) address space and user context. In this specific case, once samdump.dll is loaded into lsass, it uses the same internal API that msv1_0.dll uses to access the password hashes. This means it can get the hashes without doing any of the 'hard' work of pulling them out of the registry and decrypting them. The program neither knows nor cares what the encryption algorithms or keys are.

Is source available?

Yes, full source is provided here under the terms of the GNU Public License. For alternate licensing, send me mail. A previous version of pwdump2 used sample code from Advanced Windows, 3rd Ed., by Jeffrey Richter, ISBN# 1-57231-548-2, and was subject to his copyright. I have rewritten the relevant portions, so that full source can be made available. Nevertheless, anyone interested in DLL injection, or advanced windows programming in general should definitely get Richter's book; it's outstanding.

What systems has it been tested on?

Not too many. The following systems have been successfully tested. If you successfully test it on a version not listed here, let me know and I'll update the list. Also, if you find that it doesn't work in a given system/configuration, let me know.

• NT 4.0 with SP1
• NT 4.0 with SP3 + syskey + lsa2fix (the 2nd one; MS is on #3)

Limitations

pwdump2 could do more, and some of the things it does could be done better. For instance:

• There's no reason why pwdump2.exe can't determine lsass.exe's pid itself, instead of forcing the user to figure it out. On the other hand, you can't accidentally run it the way it is.
• It figures out what the user accounts are by going directly to the registry and enumerating them. There is actually an internal API, SamrEnumerateUsers(?) to do this, but I haven't figured it out.
• It doesn't dump the user's full name, just the account name.

What happens if I have problems?

Officially, you're on your own. However, if you encounter problems running it, I'd like to hear about them, so send mail. I can't promise that I'll be able to help you with them, though.

copyright © 1998 Todd Sabin