Content

PWCrack-CredDump

Type
Program
SubType
Malware Tool
Discovery Date
02/25/2008
Minimum DAT
5237 (02/25/2008)
Updated DAT
5237 (02/25/2008)
Minimum Engine
5.1.00
Description Added
02/25/2008
Description Modified
08/05/2008 12:14 AM (PT)

Tab Navigation

Characteristics

PWCrack-CredDump is a python tool to extract various credentials and secrets from Windows registry hives. It currently extracts:

  • LM and NT hashes (SYSKEY protected)
  • Cached domain passwords
  • LSA secrets

It essentially performs all the functions that bkhive/samdump2, cachedump, and lsadump2 do, but in a platform-independent way. It is also the first open-sourced tool that does all of these things in an offline way.

This tool contains the following three python main programs that are detected as "PWCrack-CredDump":

  • creddump-0.1\pwdump.py
  • creddump-0.1\cachedump.py
  • creddump-0.1\lsadump.py

Some relevant knowledges involved:

  • LM and NT hashes (SYSKEY protected):
    The Security Accounts Manager, or SAM, has been used by Windows since the days of NT to store information on local user accounts. It takes the form of a registry hive, and is stored in %WINDIR%\system32\config. Generally, two types of hash are stored in the SAM: the LanMan hash and the NT hash. To make the hashes harder to decrypt, Microsoft introduced SysKey, an additional layer of obfuscation SysKey is on by default in Windows 2000 and above.
  • LSA secrets:
    The LSA secrets store is a protected storage area used the the Local Security Authority (LSA) system in Windows to keep important pieces of information safe from prying eyes, such as the default password for systems that have auto-logon enabled, the timestamp used by Windows to decide when to stop working if it has not been activated, and an encryption key used to encrypt cached domain credentials.
  • Cached domain passwords:
    When a Windows computer is joined to a domain, authentication of users is performed not against the local SAM database, but by querying the domain controller. However by default Windows does store domain credentials on client machines. The reason for this is simple: if the domain controller is unavailable for some reason, users would still like to be able to log into their machines using their credentials; for this reason Windows caches domain credentials of the last (by default) 10 users to log on to the machine.

Aliases

Aliases

    N/A