Archive for September, 2010

[TOOL] pwClean – cleaning your password dump files

Posted in Security, Tools on 2010/09/24 by mram

I finally picked up some code I had lying around and finally created something useful with it. Not a big thing, just a simple tool that you can use to remove useless accounts and password hashes from the output of your favorite password dumping tool (pwdump, fgdump, gsecdump, etc.)

Skip the blabla and go straight to the Tools section.


So, you are doing a pentest and got several system rooted, maybe even a domain controller. One of the steps after compromise is getting the password hashes to get them cracked. Knowing the passwords in stead of only the hashes is an important step as it can for example provide you with access to that important financial application that is not AD-integrated.


But now you have got this text file with over 100K lines of password hashes. Sorting of the hashes before cracking is essential as your favorite tool dumps the hashes of many, many accounts that you are not interested in (system accounts, built-in, history, etc).

You can filter by hand or use your favorite text editor. But you need it to be faster, easier.


Introducing pwClean: a simple yet effective Windows application that helps you with exactly this problem: sorting the files with password hashes.

Using pwClean

Using pwClean to select Administrative accounts: contain 'adm' and in this case also '-a'


  • independent for password dumping tool used (support for pwdump, pwdumpX, gsecdump, fgdump);
  • graphical user interface for easy clicky-click (I know you windows pentesters like that);
  • can select administrative accounts identified by *adm*;
  • lets you select your domain specific ‘admin’ tag, e.g. if the naming convention uses ‘oper_<name>’ you enter ‘oper_’ as the admin identifier;
  • can remove system accounts (the accounts with the trailing $);
  • can remove built-in accounts like Guest, krbtgt, SUPPORT_388945a0, HelpAssistant, TSInternetUser, IWAM_* and IUSR_*;
  • can remove history accounts (_hist or _1) and wil remove the ‘(current)’ tag;
  • supports multiple input files.

Not yet implemented:

  • removal of accounts of which only the SID is know and not the name (orphaned/deleted accounts with the long numbers instead of an account name)
  • drag ‘n drop

Download link can be found in the  section ‘Tools and Papers‘.

Let me know any comments if you have any.


Champagne shampoo?!

Posted in Champagne, Random, Useless news on 2010/09/19 by mram
Bubbly shampoo?

Enjoy the taste!

Yes, it does exist. Andrélon, a Dutch found company making hair styling products and shampoos, is celebrating it’s 70 year birthday. They are celebrating with a special part edition of their shampoo, called Champagne Shampoo. I bet only the bottle is different.

But as ‘Champagne’ is a legally protected term, the wine farmers from the Champagne region are upset for illegal use of the term. All I can say is great marketing stunt from both Andrélon and the wine farmers as they both hit the news with absolutely no effort at all.

Only question I have remaining is wether the shampoo has any bubbles?

Hello World!

Posted in Random on 2010/09/18 by mram

Hello world, welcome to my blog! Here I will post my thoughts about two things I like: champagne and security & hacking