Dumping NTLM Hash’s from Windows with Fgdump.

With the release of the new Question-Defense online NTLM, MD5 and MD4 cracker I decide to write a quick how to on grabbing the hash’s from a windows system. In order for this to work you need at least one username and logon of a user with admin privileges. I may in the future write a article on how to escalate your privileges from a user to a admin, but for the sake of this article will assume you know at least one admin user log on.

 

The tool I am going to use is called fgdump and is available here. The are other tools called PWDump which achieve the same result but I really like fgdump so I use it for all my hash dumping needs. My target is going to be a Windows 2003 server, but this will work on XP, Vista and Windows 7.

The tool can just be run on the local machine with no arguments at all and will dump the hash’s to a log file:

Now this is pretty easy but what if you do not have physical access to the server?

We can use fgdump remotely which is the way I generally use it.

Lets run a quick scan of our target and make sure its up with the proper ports open for the connection:

Ok so we see if our server target is up.

I use a great many command line windows tool so I try to keep them all in the C:/tools directory and add it to the path. I also like to have my cygwin binaries in the path so I can have UNIX like commands in my windows terminal. Check this article if you are interested in doing that.

So lets run our tool. Its pretty much the same we just need to add a few arguments:

1. -h the ip of the host
2. -u the username
3. -p the password

Once we hit enter and execute the fgdump.exe it will notify us if the command completed successfully or not:

As you can see we had a successful dump. This will be saved in a log file in pwdump format on the machine we ran the tool from.

Lets see what that looks like:

Now this is the part where most people get confused. Windows actually uses two kinds of hashing algorithms. The first is called LM which is old and obsolete and is actually turned of by default in Windows Vista and Windows 7. The second one is called NTLM which is the one we are currently interested in.

So at this point you are probably wondering what part of that gibberish is the actual NTLM hash.

Lets open it in notepad so we can get a better look:

 

So lets break down the fields:

Alex:1004:F5D023D8475D3F6E144E2E8ADEF09EFD:6E6212F9FAC92682C51BB68DDC4819D7:::

The fields are separated by colons. So the first field is clearly the username, the second field is the user id, the third field is the LM hash. On systems with LM disabled like Windows 7, this will be blank. The final field is the NTLM hash we are interested in. I have highlighted the correct section of the hash in the picture in order to be really clear on the subject.

Once you have the hash, just copy it to you clipboard and open up our online cracker and select a option and let Question-Defense’s servers  do the hard work for you:

Once your job has been completed the results will be emailed to you. And not one ounce of CPU power on your local machine used. We also offer special rates for companies who are interested in auditing large lists of passwords to make sure their users are practicing secure password policies.