May 2, 2008 at 9:35 pm #2374Don DonzalKeymaster
Just in case you didn’t know, fgdump is now the tool to use for dumping password hashes from Windows systems.
I love having time to update tools.
I got around to adding 64-bit support to pwdump (1.7.0) and cachedump (technically referring to it as 2.0), which means I needed to build a new version of fgdump. At the same time, I rolled out a few new features which I’ve either been sitting on, or have been talking about for awhile. And of course, as is typical with new releases, most AV is blind at least for a bit. 🙂 Here’s a list of things that have changed:
– fgdump will now detect 64-bit targets and report them as such
– 64-bit pwdump and cachedump will be used when the target is detected as 64-bit
– Fixed a problem when connecting to some Samba servers where RegQueryValueEx would not behave as expected
– fgdump will now generate a session ID during each run – used to correlate failed logs and regular logs
– Added command line to log file
– Added session ID to log file
– Created a new file with the format (session-id).failed which contains greppable data on failed hosts
– A log file is always generated of the format (session-id).fgdump-log
– -l will now override the default log name (see above)
– Added -a option to prevent tampering with AV. This is useful if you know AV is not picking it up, you want to tamper with the target as little as possible
A couple of notes about the log files. First off, a log file will ALWAYS be generated now, and will contain the date and time of the run. You can override this using -l if you want it to be named something specific. fgdump will now also generate a .failed file, which will contain a list of hosts that were unsuccessful. This file contains greppable records so you can quickly identify what hosts failed, why, and if there are still processes running on the host. This should help during the cleanup phase. The fields in this file are as follows (all separated by “|” characters):
1. Host IP/name
2. Windows error number (e.g. 5 for access denied)
3. 1 if processes are still (possibly) running on the target, 0 if everything should be cleaned up
4. Text of the error, if available
Additionally, the command line used to invoke fgdump is stored in the log file now. This means, if you pass the password on the command line, IT WILL BE RECORDED IN THE LOG FILE! If this bothers you, please omit the -p parameter and simply provide the password when fgdump asks for it. Please also note that this version has quite a number of changes in it and, while I’m releasing it as non-beta, there is a higher-than-normal chance for bugginess. As usual, please report any issues you find.
Get it here:
May 3, 2008 at 9:04 am #17694RoleReversalParticipant
I’m about to do some work in the windows domain so I’ll add the updated version to my toolbox.
June 19, 2008 at 3:45 am #17695rdkumarjParticipant
Thanks for this tool , Such a Nice One…
June 26, 2008 at 5:42 pm #17696BanDxParticipant
If I run fgdump from my PC to dump from a remote server that is a domain controller is anything installed on the remote server? Is there any risk to the domain controller?
Here is a sample of the command I want to run:
fgdump.exe –h 192.168.0.10 –k -u administrator –p password
Thanks in advance.
June 26, 2008 at 5:57 pm #17697AnonymousParticipant
i dont remember is fgdump installs itself as a service or just does dll injection to dump the hashes, it should be in the documentation though.
keep in mind, anytime you start playing with those types of tools there is the “possibility” of messing something up, usually not permanently though. a reboot usually fixes it, but that might suck for a DC.
- You must be logged in to reply to this topic.