WhosThere Token Theft Modification11/11/2009What is WhosThere? WhosThere is a free tool from Hernan Ochoa/CORE TECHNOLOGIES which "will list logon sessions with NTLM credentials (username, domain name, LM and NT hashes)." This is an incredibly powerful utility, as it allows you to extract domain account hashes from member servers. These hashes can then be used in pass-the-hash style attacks or simply cracked. While an excellent utility, WhosThere doesn't function out of the box on all versions of Windows. It provides an option (i.e. -a) to specify known memory addresses for those versions which don't automatically work. As each version of lsasrv.dll will result in new memory addresses, tracking these can be a hassle. The patch provided here adds support to whosthere.exe to examine the system's lsasrv.dll file (via SHA-1 hash) and select from a list of known addresses. This list is currently limited, but I plan to add to it as I encounter new versions. Patch [Pass-The-Hash Toolkit v1.4] |