    PwDump4.02 - dump winnt/2000 user/password hash remote or local.
					-- bingle@email.com.cn

DESCRIPTION:

  This program dump password hashes from local or remote Windows NT/2000 machines.  It 
prints them onto the screen in l0phtcrack format, or will write them to a file if desired. 

Pwdump4 has local dump & remote dump function(like a combination of pwdump2 & pwdump3). 
When I using pwdump3, I found some restrictions to make it work, so I try to fix them. 
The work flow of pwdump3 is:
  1. copy the service program(Pwservice.exe) & inject dll(LsaExt.dll) to the Target 
computer's Admin Share(Admin$), and then create pwservice.exe as a service pwservice in 
target.
  2. remote start pwservice, Pwservice.exe & LsaExt.dll will do real dump, pwservice 
inject LsaExt.dll into Lsass.exe process to dump sam.
  3. The result are stored in the target computer's registry. so the main program 
(Pwdump3.exe) will open the registry remotely to get the result.

but to accomplish that, there's some restrictions, for any progress may fail:
  1. Admin$ share disabled.
  3. Remote access registry disabled.
  2. Lsass.exe have not enough memory to run new thread.

and when run locally the restrictions also exist, for the work flow are same with remote,
 so we also need pwdump2.exe for run local.

I do some improve with pwdump3 to pwdump4:
  1. You can use any share just u have write access. provide /s: argument.
  3. Use named pipe to get result.
  2. No way to avoid, for only lsass.exe have prevelige to access sam.
  4. when run locally, use the work flow of pwdump2. provide /l argument.
  5. pwdump3.exe & pwservice.exe --> pwdump4.exe
  6. You can rename the exe & dll & service name as your wish.


USAGE:
  PWDUMP4 [Target | /l] [/s:share] [/o:outputFile] [/u:userName]
    [Target]  -- Target Computer's ip or name to work,
    [/l]      -- works on local Computer.
    [/s:share]        -- share to use to copy files on.
    [/o:outputFile]   -- Result filename for output.
    [/u:userName]     -- UserName used to connect to target, provider password later.
    [/r[:newname]]    -- Rename the files to 'newname' when copy to the target,
         rename service name also, see FAQ for more.


HOW IT WORKS:
  Like pwdump3 by Phil Staubs, copy pwdump4.exe & PwDump4.dll into remote share specified 
with /s: or default Admin$ share, Remote create & start service pwservice. After dump out,
 use named pipe to get result. And because the main program & service are just in 1 
pwdump4.exe, so if no parameter provide, if will try to run as a service. fortunately, 
it will fail.
  Use the work flow, u can easily code psexec & pslist & pskill etc to support remote 
function.
  For more detail, look the readme of pwdump3 or just read the source come with pwdump4 
directly.


PROBLEMS:
  1. When some non-ansi char in unicode string(chinese, korea...), the convert function 
like wcstombs & WideCharToMultiByte will fail. If only the locale set properly, the 
convertion will be well, but the locale of remote is unknown, so i can just try all
 locale one-by-one for each failure unicode char.
  I cannot test Unicode2Ansi() & Ansi2Unicode() for more, i just have chinese windows. 
So it may encounter problem when the share's local path on target have special
 char(chinese, korea...).
 
  2. problem 'Lsass.exe have not enough memory to run new thread' are also have no 
idea to conquer.


DECLAIM:
  This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License Version 2, as published
by the Free Software Foundation. Detail in file COPYING.txt.


  If u have good idea or problem for it, u can contact with me.(1st have a look at FAQ)


email:	bingle@email.com.cn
web:	www.binglesite.net


			bingle 2003/9
