fgdump - remotely dump windows ntlm hashes and domain cached credentials while avoiding av

fgdump is targetted at the security auditing community, and is designed to be used for good, not evil. :) Note that, in order to effectively use fgdump, you're going to need high-power credentials (Administrator or Domain Administrator, in most cases), thus limiting its usefulness as a hacking tool. However, hopefully some of you other security folks will find this helpful.
In quick summary, the main code execution path of fgdump is as follows:
1. Bind to a remote machine (or a list of machines) using IPC$
2. Stop AV, if it is installed
3. Locate file shares exposed on that machine
4. Find a writable share from the above list, bind it to a local drive
5. Upload fgexec (used for remote command execution), cachedump
6. Run pwdump (with password history dump as well)
7. Run cachedump
8. Run pstgdump
9. Delete uploaded files from the file share
10. Unbind the remote file share
11. Restart AV if it was running
12. Unbind from IPC$

hash krackin rss feed Subscribe in a reader

Copyright 2011 | All software listed is freeware unless otherwise stated. All software listed is property of the publisher. The software on this website may be reported by antivirus as malicious, however this can be disregarded due to the nature of these tools. Hash Krackin can not be held responsible for any of your actions performed by the resources of this website. Please contact the webmaster of any broken links or password cracker resources you would like featured on this site.