.

pwdump and AV issues

<<

cb122

Newbie
Newbie

Posts: 20

Joined: Tue Jan 15, 2013 8:54 am

Post Tue Feb 05, 2013 6:39 am

pwdump and AV issues

Our AV scanner (forefront endpoint protection) picks up pwdump and fgdump as malicious programs and subsequently we cant get the tool to dump out the hashes to a text file. This isnt as part of a pen test its a valid requirement from a security officer to check password strength twice a year. Are there any clever ways of bypassing AV (disabling it on the client/host is not an option) so we can use fgdump/pwdump.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Feb 05, 2013 7:13 am

Re: pwdump and AV issues

You should be able to make exceptions for specific files and directories.
The day you stop learning is the day you start becoming obsolete.
<<

cb122

Newbie
Newbie

Posts: 20

Joined: Tue Jan 15, 2013 8:54 am

Post Tue Feb 05, 2013 7:25 am

Re: pwdump and AV issues

I was wondering if there were any clever workarounds without having to touch the AV settings.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Feb 05, 2013 8:05 am

Re: pwdump and AV issues

Are these domain credentials? Just make a shadow copy: http://pauldotcom.com/2011/12/safely-du ... -avai.html
The day you stop learning is the day you start becoming obsolete.
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Tue Feb 05, 2013 8:55 am

Re: pwdump and AV issues

smbexec was designed to get around pesky AV....so definitely look into it

https://github.com/brav0hax/smbexec

Videos:
http://www.youtube.com/results?search_q ... rrjRI59B2M
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

cb122

Newbie
Newbie

Posts: 20

Joined: Tue Jan 15, 2013 8:54 am

Post Tue Feb 05, 2013 10:58 am

Re: pwdump and AV issues

Many Thanks
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Feb 05, 2013 2:12 pm

Re: pwdump and AV issues

smbexec uses the patched winexe to address the issue detailed here: http://carnal0wnage.attackresearch.com/ ... stead.html

While this will avoid controls that flag MSF psexec behavior, I would assume using winexe to run pwdump or whatever would still be detected because that file is copied to the system and then executed.

You could also test your AV controls by using MSF's psexec module and running hashdump, although this may cause stability issues on DCs. I use the shadow copy method when doing this on my clients' systems.
The day you stop learning is the day you start becoming obsolete.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software