Forensic Toolbox: pwdump and fgdump

Description

fgdump and pwdump are both tools used to get information from the SAM (Security Account Manager) database on a Windows machine. The SAM database stores usernames, user IDs, and user passwords. The database is located at C:\Windows\system32\config\SAM, and is implemented as a registry file. A SAM entry looks something like this:

[user name]: [user ID]: [LAN Manger hash]: [NTLM hash]

Since Windows Vista, the LAN Manager hash has been turned off by default (SEE the ‘LANMAN’ section below for why this is), so unless the system is very poorly configured, there should typically be no password in this space. There are different versions of each tool. fgdump was meant to be a newer version of pwdump and is used more often for most practical purposes. However, pwdump has several versions which have capabilities similar to fgdump, if not greater (Quarks PwDump, for example).

The advantages that fgdump has over most pwdump versions include displaying password histories (if available), attempting to disable antivirus software before running, and connecting to hosts remotely.  Typically, passwords are now stored using the NTLMv2 protocol, which uses the MD5 hashing algorithm. This algorithm is more difficult to crack than other hashing algorithms (like the one used by the LAN Manager protocol), but it is possible to do so if using the right tools. fgdump and pwdump are typically used in conjunction with a password cracker like John the Ripper, L0phtCrack, Ophcrack, Cain and Abel, etc. 

 

LANMAN

LAN Manager (LANMAN or LM) is a system of storing passwords which is very weak and should never be enabled on modern systems. Its method of hashing involves:

  1. Take the password and make it all uppercase
  2. Crop the password to only 14 letters
  3. Split this password into 2 seven-character (or seven byte) blocks
  4. Encrypt what remains using a very weak encryption algorithm called Data Encryption Standard (DES)

These hashes are very easy to crack, thus leaving passwords vulnerable. Looking at the output of fgdump or pwdump will typically show no password in the LAN Manager hash space because LM is now disabled by default in Windows systems since Windows Vista. Modern Windows machines use NTLMv2 to store their passwords now.

NTLM

Microsoft came out with NT LAN Manager (NTLM) as an improvement over LANMAN. The original version of NTLM (NTLMv1) used the MD4 hashing algorithm to hash the password. It also used LANMAN for passwords that were less than 14 characters. This led to the creation of NTLMv2, which uses the MD5 hashing algorithm on passwords. An interesting thing to note is that many password policies in networks where older machines are more common require passwords to be at least 15 characters so that LANMAN is never used for backward compatibility if for some reason it is enabled.

 

Basic Usage

pwdump

To use pwdump, download the tool, open a command prompt as an administrator (you must have administrative rights in order to use pwdump and fgdump since you’re accessing a protected registry file. If this is your system, perfect. If not, there are ways to access an administrative command prompt without having an administrative account. If you’re curious, look up “Windows sticky keys hack”. However, as always, make sure you have permission by the owner to do this or you could end up in some serious legal trouble). 

Once in an administrative command prompt, simply use the command:

pwdump7.exe(or path to pwdump version you're using) -o passwords.txt 

The -o defines the name of an output file to output the SAM database contents to. This is optional as the > redirect symbol can be used as well to redirect the output of this tool to an output text file for later analysis, like so: pwdump7.exe > passwords.txt (this redirect to an output file will work for fgdump as well). Options vary depending on which version of pwdump you are using, but this is enough to save the SAM database data to a readable text file.

fgdump

To use fgdump, download the tool, open up an administrative command prompt and run fgdump.exe. You can use the > redirect symbol to redirect the output of this tool to a file to be analyzed later, as described in the ‘pwdump’ section above.

To use fgdump remotely, use the command:

fgdump.exe -h [IP address of remote Windows machine] -u [administrative username] -p [password to login with username]

Whether used remotely or locally, this should return the same data as the pwdump7 tool, as they both simply dump the contents of the same database.

 

How to Use in Forensics Investigation

Although these tools are typically used more for ‘hacking’ purposes, they can be useful in a forensics investigation as well. Many times, attackers will create a new user account on the victim machine so that their actions are less likely to trigger alarms. By using a tool such as pwdump and dumping all the SAM data into a file, it becomes easy to see a list of all the user accounts on that machine. This makes it easy to find rogue accounts which are not recognized.

 

Try it out!

Take a few minutes to download either of these tools and try them out! You’ll learn more by doing. It’s interesting to see which hashes show up. If you’re really adventurous or just want to learn a useful skill, try to crack the hashed passwords using Google and one of the password-cracking applications mentioned in the Description above. There are other tools, such as mimikatz, which use other methods of obtaining Windows passwords (not accessing the SAM database). As a security expert, it’s important to know all routes of possible attack. 

 

Personal Note

When I first learned about these tools, it was crazy to me how easy it was to dump passwords, even if they were hashed. I’ve cracked Windows passwords stored with LANMAN before (without needing to log into any account, simply by booting into the machine with a Kali boot-disk) and it’s eerily fast, showing just how vulnerable those passwords are. Since these tools are a little bit older, they may not necessarily work with all versions of Windows 10, but there are always new tools coming out as ‘hackers’ discover new ways to bypass security measures. As with any tool, these tools can be used in different ways to accomplish different things. Just as they are useful for cracking Windows passwords, they also serve an important role within digital forensics. 

 

Download Source: 

pwdump: http://www.openwall.com/passwords/windows-pwdump 

fgdump: http://sectools.org/tool/fgdump/

 

More Information: 

Facts about SAM

More information on pwdump, fgdump, and password cracking

Using Kali Linux to to crack Windows passwords

What is Syskey?

 

css.php