WhosThere Token Theft Modification

11/11/2009


What is WhosThere? WhosThere is a free tool from Hernan Ochoa/CORE TECHNOLOGIES which
"will list logon sessions with NTLM credentials (username, domain name, LM and NT
hashes)." This is an incredibly powerful utility, as it allows you to extract domain
account hashes from member servers. These hashes can then be used in pass-the-hash
style attacks or simply cracked.

While an excellent utility, WhosThere doesn't function out of the box on all versions
of Windows. It provides an option (i.e. -a) to specify known memory addresses for
those versions which don't automatically work. As each version of lsasrv.dll will result
in new memory addresses, tracking these can be a hassle. The patch provided here adds
support to whosthere.exe to examine the system's lsasrv.dll file (via SHA-1 hash) and
select from a list of known addresses. This list is currently limited, but I plan to add
to it as I encounter new versions.

Patch [Pass-The-Hash Toolkit v1.4]