ehjelmstad <ehjelmstadEBIZ-TECH.COM> writes:

> e-business technology would like to announce the release of pwdump3, a
> Windows NT/2000 remote password hash grabber.
> [...]
> This program was written by Phil Staubs and has been released under the
> GNU GPL.
>

[Bias warning: I'm the author of pwdump2, on which pwdump3 is based.]

Well, I have a few things I'd like to say about this.

1. Security, or lack thereof.

One of the reasons that I have not (as of yet, see below) added the
ability to dump a remote machine to pwdump2 is that it's not so easy
to do it securely. The problem is that the password hashes are
plaintext equivalent, meaning that if you simply dump hashes on a
remote machine and then copy them over your network, anyone who sniffs
them will more or less own you. Therefore, copying your hashes
unencrypted over the network is a bad idea, and not something I wanted
to add to pwdump2.

Now, this new pwdump3 doesn't quite do that. If you look at the
source code, you'll see that it does perform an obfuscation step
(using a random key) before copying the hashes back from the remote
machine. However, the random key is also copied over the network.
So, in effect, there's no real encryption being done here. Anyone can
still sniff the wire and recover all of your password hashes. They do
state this at the very bottom of the README file, but a slightly more
prominent warning might be a good idea. The problem with READMEs is
that no one ever does, especially not to the very end.

Anyway, I'd recommend against using pwdump3 in anything other than a
lab scenario.

2. Why "pwdump3"?

ebiz-tech did email me a while ago, saying that they were writing
this, and asking under what conditions they could use my pwdump2 code.
I told them that it was GPL'ed, and so they were allowed to use it,
provided that they also GPL their code. However, I suggested that
since what they were writing was clearly just an enhancement to
pwdump2, why didn't they just send me a patch, let me include it in
pwdump2, and give them credit? That is, after all, how things are
normally done with open source projects. They never replied.

3. A new pwdump2 is in the works

So, I figured they were probably going to go ahead with pwdump3
anyway. And I started figuring out how to add the ability to dump a
remote machine (relatively) securely to pwdump2. I've got a working
prototype, but unfortunately, it's not quite ready, yet. It should be
ready to go in about 2-3 weeks... and it will still be called pwdump2.
When it's ready, I'll put an update at the usual places:

http://razor.bindview.com/tools/desc/pwdump2_readme.html
http://www.webspan.net/~tas/pwdump2

Todd

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]