| To: | pen-test@securityfocus.com |
|---|---|
| Subject: | Re: Password audits |
| From: | Nicolas RUFF <nicolas.ruff@gmail.com> |
| Date: | Sat, 11 Nov 2006 15:12:04 +0100 |
| Cc: | xelerated <xelerated@gmail.com> |
| Delivered-to: | sp-com-lists@consult.net |
| Delivered-to: | pentest-list2@consult.net |
| Delivered-to: | mailing list pen-test@securityfocus.com |
| Delivered-to: | moderator for pen-test@securityfocus.com |
| Domainkey-signature: | a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:content-type:content-transfer-encoding; b=anUjITEbgbpiwREJ4tXFHouSSZihiUmlersjB29xI2bW15YTRhto/rqmzJO1On8zLhn4lOdAO9zq0juVUR8MT+THQz8EY0DJcV1zN+Oyf1OixWqcMoPkfMkivCrjXtSRo1IAsYEM/zwBDaq2siBWVmalo1fVuRmy+saaFPDJ9jQ= |
| In-reply-to: | <9362a28f0610230500x3c879328j7646697230337fd@mail.gmail.com> |
| List-help: | <mailto:pen-test-help@securityfocus.com> |
| List-id: | <pen-test.list-id.securityfocus.com> |
| List-post: | <mailto:pen-test@securityfocus.com> |
| List-subscribe: | <mailto:pen-test-subscribe@securityfocus.com> |
| List-unsubscribe: | <mailto:pen-test-unsubscribe@securityfocus.com> |
| Mailing-list: | contact pen-test-help@securityfocus.com; run by ezmlm |
| References: | <9362a28f0610230500x3c879328j7646697230337fd@mail.gmail.com> |
| Resent-date: | Sat, 11 Nov 2006 17:33:02 -0700 (MST) |
| Resent-from: | pen-test-return-1078482960@securityfocus.com |
| Resent-message-id: | <20061112003302.08B3A237670@outgoing3.securityfocus.com> |
| Resent-sender: | listbounce@securityfocus.com |
| Sender: | listbounce@securityfocus.com |
| User-agent: | Thunderbird 1.5.0.8 (Windows/20061025) |
Indeed most problems are coming from DEP being enabled, as pointed out before on the list: http://seclists.org/pen-test/2005/Sep/0229.html To fix this, just replace: alloc(..., PAGE_READWRITE); with: alloc(..., PAGE_EXECUTE_READWRITE); in the source. In my experience, you can also run into trouble when starting PWDUMP from inside a "SYSTEM" shell, or from a Terminal Server (or Citrix) session. If "samdump.dll" is blocked at load time by some antivirus, you will also experience PWDUMP becoming a "dead process" (infinite blocking on ReadPipe()). At the end, I would recommend using Cain (with remote Abel server on the target). It is more stable, DEP-compatible, and not always detected by antivirus. http://www.oxid.it/ Regards, - Nicolas RUFF ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------ |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | New Article on SecurityFocus: FreeBSD Security Event Auditing (with Robert Watson) interview, Erin Carroll |
|---|---|
| Next by Date: | Re: Nikto open ports, Radu Oprisan |
| Previous by Thread: | New Article on SecurityFocus: FreeBSD Security Event Auditing (with Robert Watson) interview, Erin Carroll |
| Next by Thread: | N-Stalker or Acunetix, exploit1001 |
| Indexes: | [Date] [Thread] [Top] [All Lists] |