[TOOL] pwClean – cleaning your password dump files

I finally picked up some code I had lying around and finally created something useful with it. Not a big thing, just a simple tool that you can use to remove useless accounts and password hashes from the output of your favorite password dumping tool (pwdump, fgdump, gsecdump, etc.)

Skip the blabla and go straight to the Tools section.

Situation

So, you are doing a pentest and got several system rooted, maybe even a domain controller. One of the steps after compromise is getting the password hashes to get them cracked. Knowing the passwords in stead of only the hashes is an important step as it can for example provide you with access to that important financial application that is not AD-integrated.

Problem

But now you have got this text file with over 100K lines of password hashes. Sorting of the hashes before cracking is essential as your favorite tool dumps the hashes of many, many accounts that you are not interested in (system accounts, built-in, history, etc).

You can filter by hand or use your favorite text editor. But you need it to be faster, easier.

Solution

Introducing pwClean: a simple yet effective Windows application that helps you with exactly this problem: sorting the files with password hashes.

Using pwClean

Using pwClean to select Administrative accounts: contain 'adm' and in this case also '-a'

Pro’s:

  • independent for password dumping tool used (support for pwdump, pwdumpX, gsecdump, fgdump);
  • graphical user interface for easy clicky-click (I know you windows pentesters like that);
  • can select administrative accounts identified by *adm*;
  • lets you select your domain specific ‘admin’ tag, e.g. if the naming convention uses ‘oper_<name>’ you enter ‘oper_’ as the admin identifier;
  • can remove system accounts (the accounts with the trailing $);
  • can remove built-in accounts like Guest, krbtgt, SUPPORT_388945a0, HelpAssistant, TSInternetUser, IWAM_* and IUSR_*;
  • can remove history accounts (_hist or _1) and wil remove the ‘(current)’ tag;
  • supports multiple input files.

Not yet implemented:

  • removal of accounts of which only the SID is know and not the name (orphaned/deleted accounts with the long numbers instead of an account name)
  • drag ‘n drop

Download link can be found in the  section ‘Tools and Papers‘.

Let me know any comments if you have any.

Advertisements

2 Responses to “[TOOL] pwClean – cleaning your password dump files”

  1. Cool to see some modern clicky-click tools, me like! But then again… All that programming to replace

    cat pwfile.txt | grep ‘admin’

    Or is there maybe a reason you’re not allowed to install CygWin?

  2. I always forget what the built-in accounts are and always forget the specifics from the different tools. I just wanted a simple app that applies the specifics and can do the sorting with one click, so I can focus on the other more interesting parts of the pentest.

    But you are absolutely right, you can do the exact same thing with grep, sed, awk or any other text util.

    PS, please don’t waste precious CPU cycles by cat + grep when grep can do the same on it’s own. Better use that CPU cycles for password cracking ;-)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: