[Snort-sigs] pwdump, l0phtcrack, hash extraction

Matthew Jonkman matt at ...2436...
Tue Jul 20 09:44:02 EDT 2004

I don't believe a null session is used with pwdump. It's got to have 
admin rights to run pwservice.exe and get the hashes.

What I see hit when using pwdump3e are:

NETBIOS SMB-DS ADMIN$ share unicode access
NETBIOS SMB-DS Create AndX Request winreg unicode attempt

And the 2 rules I put up on bleedingsnort.com as well. Since the 2 above 
can hit for legitimate traffic they aren't a good indication of hostile 


Kreimendahl, Chad J wrote:

> There is a signature for pwdump/etc...
> Null sessions are what are typically used to pull out the entire
> user/passhash on domain controllers...
> So set your target variable to the systems you care about... and you're
> set.

More information about the Snort-sigs mailing list