pwdump and AV issues

[cb122]

Our AV scanner (forefront endpoint protection) picks up pwdump and fgdump as malicious programs and subsequently we cant get the tool to dump out the hashes to a text file. This isnt as part of a pen test its a valid requirement from a security officer to check password strength twice a year. Are there any clever ways of bypassing AV (disabling it on the client/host is not an option) so we can use fgdump/pwdump.

[ajohnson]

You should be able to make exceptions for specific files and directories.

[cb122]

I was wondering if there were any clever workarounds without having to touch the AV settings.

[ajohnson]

Are these domain credentials? Just make a shadow copy: http://pauldotcom.com/2011/12/safely-dumping-hashes-now-avai.html

[Dark_Knight]

smbexec was designed to get around pesky AV....so definitely look into it

https://github.com/brav0hax/smbexec

Videos:
http://www.youtube.com/results?search_query=smbexec&oq=smbexec&gs_l=youtube.3..0.7551.9130.0.9302.7.5.0.2.2.0.88.421.5.5.0...0.0...1ac.1.rrrjRI59B2M

[cb122]

Many Thanks

[ajohnson]

smbexec uses the patched winexe to address the issue detailed here: http://carnal0wnage.attackresearch.com/2012/01/psexec-fail-upload-and-exec-instead.html

While this will avoid controls that flag MSF psexec behavior, I would assume using winexe to run pwdump or whatever would still be detected because that file is copied to the system and then executed.

You could also test your AV controls by using MSF's psexec module and running hashdump, although this may cause stability issues on DCs. I use the shadow copy method when doing this on my clients' systems.