What's New?

It's been a while since pwdump2 was first released, and it's time for an update. This new version adds two new features:

• It can now dump password hashes from Active Directory. (The original version wasn't able to do this.)
• It can determine the pid of lsass automatically, so you don't need to supply it on the command line.

What is pwdump2?

This is an application which dumps the password hashes (OWFs) from NT's SAM database, whether or not SYSKEY is enabled on the system. NT Administrators can now enjoy the additional protection of SYSKEY, while still being able to check for weak users' passwords. The output follows the same format as the original pwdump (by Jeremy Allison), and can be used as input to l0phtcrack, or used with Samba. You need the SeDebugPrivilege for it to work. By default, only Administrators have this right, so this program does not compromise NT security.

How do I use it?

First, of course, back your system up, and try it on a test machine. Take both the pwdump2.exe and samdump.dll files and place them together in a directory on your NT box's local file system. Then, just run

[c:\pwdump2] pwdump2

and the contents of the SAM will be written to the console. To capture the output in a file, run, e.g. "pwdump2 > passwd.txt".

[c:\pwdump2] pwdump2 43

How does it work?

It uses a technique known as DLL injection. In general, one process (pwdump2.exe) forces another process (lsass.exe) to load a DLL (samdump.dll) and execute some code from the DLL in the other process's (lsass.exe's) address space and user context. In this specific case, once samdump.dll is loaded into lsass, it uses the same internal API that msv1_0.dll uses to access the password hashes. This means it can get the hashes without doing any of the 'hard' work of pulling them out of the registry and decrypting them. The program neither knows nor cares what the encryption algorithms or keys are.

Is source available?

Yes, full source is provided here under the terms of the GNU Public License. For alternate licensing, send me mail. A previous version of pwdump2 used sample code from Advanced Windows, 3rd Ed., by Jeffrey Richter, ISBN# 1-57231-548-2, and was subject to his copyright. I have rewritten the relevant portions, so that full source can be made available. Nevertheless, anyone interested in DLL injection, or advanced windows programming in general should definitely get Richter's book; it's outstanding.

What systems has it been tested on?

The original version has been tested on quite a lot. It's known to work on pretty much all versions of NT4 and W2K, possibly excepting Windows Terminal Services (see below).

The new version obviously has not been tested a lot, yet. If you'd rather use the original, you can still download it below. You'll still need to specify lsass's pid, of course, and it won't work on Active Directory.

There have been reports of the original pwdump2 not working on various systems, but nothing I've been able to nail down. I believe a lot of this is people running it without the correct privileges and not realizing it. However, it does appear that there may be some bad interaction with either some virus protection systems or Windows Terminal Services (or both). I have nothing concrete on these; if you have problems in these areas, please let me know. Also, if you've found that pwdump2doeswork for you with either of these situations, I'd appreciate hearing about that as well (with version information as specific as you can provide).

Limitations

• It doesn't dump the user's full name, just the account name.

What happens if I have problems?

Officially, you're on your own. However, if you encounter problems running it, I'd like to hear about them, sosend mail. I can't promise that I'll be able to help you with them, though.

Download pwdump2 — 46kb

MD5 (pwdump2.zip) = 560b92164864a9dbe0760b4c8fc1e147

Download original pwdump2 — 50kb

MD5 (pwdump2-orig.zip) = 3c26b77e948d486cbd697e45fd8f56f4

copyright © 1998, 2000 Todd Sabin